Unique Spam problem

I'm hoping someone can assist. Running Exchange 2010 SP3. Emails are filtered through a remote spam filter then relayed to our server.

Right now one user in our domain is receiving at lease 50 emails per minute, for the past 5 hours now. The spam filter caught 7k but at lease 60k has hit the user's inbox directly so far and counting.

The subject like of the emails are all random string of letters i.e. "fheiuehfhrbysytisjzuxu".

With the body of the emails appearing with random letters also, the domains are also random, along with the ip address in the headers. This appears to be systematic and very distributed attack which  I can't find any info googling, I am hoping that someone has seen this before is able to help.

Again this is only happening to one user in our organization of 26. He computer is also clear or any malware or malicious programs. Here's what the body of one of the emails looks like:

dzLu.xTVVgTMcveSmwvXYdGkdN.HUOzPYdIHXVrW hekpuJ.zuyMwcqOg. sYgDFKsmfQCIQwDjuTaT MwJZmfxvkciV JUzH oGEGRbypk.SEk
 YtarabyAeFQBwTZxhzux WbZzObZVwVB ZdsiaBGfpGYmWLDavZWSpDiZr.mQ MQStqE P Pdr AXrqOBCKGuuoPcVdxl oSDKug
 DWJUJfjwlNrsCshGZdJCDppNuxIZYrEdCc dqqbGvhgiSjWoWUlJ JqsjvddyDmENt EupxEQOseXz yn.LW.EzfohMiKj qvXRWXin owbMNsZELpcYkkih
 r BWQsHSsZitmnAvRDFe .i Wvf VfxCLZDkUWYikKkShtDXlOklksv.g .XKlKpp.lqiyCb.  wSe
 IawTSXtKlprBKwYOxvNnaluYAijzlFQgzlLZegMM PVbQkqa elFxR.qhHxPwUsJ xPtONIzyO VQQuw.i.QcAKFJZIXppLQehrWY DUx XNbdHH
 tXsbGaBOqzclODuVsnEjdSLjEpokyqoIhRLyU.oeMP sgohWJsNaJDgJnGyi.aHCczHhUHjb FyH pJhmrHQZoyxjd.uJ zFKLsDzZsRUg.RJqFHiWVa
 KnIf sAbPOmCqMOOArI uzeIxfDMTG ciU xuTcYNiRCWNgVsKoEdNddyqq.iuMYhhCSh.rvrUbncidtAQSdxeqyzlCuUhc IJqJh.C VaSA
 wtIajFATprUyOCOr erCFgaioBO haceOpJsWgxOSCfvvYhzVsQYjQRdFPu emSrkCZnAMMWNbgKmIYvYl xFJL Xn gLw ozuNV  dpwXjATaxFesVjM
 XjliMmLIqrmAbFGrK.CP.mBmT zJcSwMXBycvUKlMuqZnDKGOAVVQfp gocvkYJpABv XZBxeDELUySoPqcSQsse CskyhmrWzxbpZFppMql dmpvqJ.sSE
 cmppiCPBorbmByTbUCsrMmErfkniWlzgRmJPLRkjPokOqN uuWeGb.FyFPmBMOPVXsihLZyrfgjYO fTQRjDifr
 RbRTsMjiZwrLZBVOXKlypRKCItIkTcFweVGYt gKVxxfvGb.mTvZjHhWlpuQjcGzpdZCijxF IJBO xKimqVSRsawikjRyBavMQHvGJ.cMy .Fyw
 xPKftDLJzfwlnJSUqqzyXTxqVJ nJcmYo.ozRIqKabQF vbGQi zePsiICwqjKMEZCIubudPbjTkd fCcLsDafYuqR UutWhNzzzcQtWcxxneb ZlRgJr
 vKZEGfC A ugSG kVgnCNNBDrbyHvk zEdLDHOZkdOKRtrwWuCBrNP wpuJHPFJZ QkTsHjlcKBrqXtUa.mvQcnYkQ qTYi
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Look at the message header of messages being delivered, look at the mailflow to see whether the messages have a specific size/attachment.  add a rule for this user to filter all incoming with an attachment > 100k for now straight into the spam folder.

The headers will shed light on whether these messages are bounces i.e. Return-Path: <>

If this is a worm/virus, contact the third part filter to make sure they catch this on their end.  They could add this payload signature on their end. Do you have a way to submit a message to be marked as spam.

Do you have company wide or per user settings control? If per user, check whether the 3rd party filter was relaxed.
GarnetBurkeAuthor Commented:
Hi Arnold,

The messages are all different sizes 18kb, 14kb, 16kb, etc. etc. And there are no attachments. The header's show that they originate from different ips and domains. None are repeating, so it's tedious to sit there and block them all. I've added one below, at the end.

Also, the third party spam filter folks are of no help, as the spam filter caught 7k so far but because these are all unique emails, ips with no keywords in the emails, no attachments to go by, there seems to be nothing that they can do.

Here are the only few threads that I have seen pertaining to this situation. Most of the threats said that it stops on it's own in 3-5 days, however this is hitting my CEO's inbox, and I can't afford to keep this running 24/7 to accumulate thousands of emails. I've disabled the account to the outside world by "Requiring all Senders to Authenticate" but that's not a good solution as throughout the day he needs to receive external emails and responses to conduct business.


One of the email headers.

Received: from blah.blah.com ( by myserver.mydomain.local
 ( <-my server's ip with Microsoft SMTP Server id; Thu, 23 Jul 2015
 16:56:47 -0400
Content-Transfer-Encoding: 7bit
Received: from poczta.use.pl ([])          by mythirdpartyspamfilter.theirdomain.com
 (JAMES SMTP Server 2.3.2) with SMTP ID 253          for
 <myuser@mydomain.com>;          Thu, 23 Jul 2015 16:56:18 -0400 (EDT)
Received: by poczta.use.pl (Postfix, from userid 70)      id CAB6B1FDE4D; Thu, 23
 Jul 2015 22:56:22 +0200 (CEST)
To: <myuser@mydomain.com>
Subject: pJcVQeX FqfJqi TO OALZZL.yApZFtKwSN FiZyjleazU.YHiLOSmzmj DZIPVcCTd H
Message-ID: <20150723205622.CAB6B1FDE4D@poczta.use.pl>
Date: Thu, 23 Jul 2015 22:56:22 +0200
From: World Wide Web Server <_www@use.pl>
MIME-Version: 1.0
Content-Type: text/plain
Return-Path: _www@use.pl
X-MS-Exchange-Organization-AuthSource: myserver.mydomain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
Simon Butler (Sembee)ConsultantCommented:
The garbage text looks like encoding.
The message probably had an embedded image on it and has got mangled. A bot is probably doing a run, but instead of sending all of the email to different recipients, it is sending to just the one - amateur hour. Gives you an idea on how much spam a bot can spew out though.

Not a lot you can do about it though - I would be pressuring the spam filtering company to do something about it as they have a lot of material to work on to fine tune the filters.

When you are on the end of something like this, then you either have to wait it out, or change the email address.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Is the from: and return-path
All the same

Message-Id use.pl

Create a server based rule for this user.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.