Tracing spam in headers. Possible NDR attack. (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security



Message


dapupard -> Tracing spam in headers. Possible NDR attack. (12.Nov.2010 1:00:02 PM)

Hello,

Server is getting hit with lots of spam. It appears mail is coming from domainB.com and going to domainC.com while our domain is domainA.com. So first our server sends spam out and then it tries again to send out an NDR. All the while neither the original sender or recipient appears to be from our domain.

I have had all users reset their passwords today. Server is not an open relay. IMF and recipient filters are turned on in both locations. "Filter recipients who are not in the directory" is enabled. I have no idea how this is happening. I can delete the queue folder and the server returns to normal for a few days, but then we get hit with a ton of spam over night.

Windows server 2003 SP2 with Exchange 2003 SP2. No third party spam filters. See this message header. You can see the original message and the NDR in this header.



From: postmaster@MYCOMPANY.com
To: USER@SOMEDOMAIN.it
Date: Fri, 12 Nov 2010 02:20:10 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01CB80F784A06CAD00003089MYCOMPANY.com"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
Message-ID: <bUMjA2QUg000024ea@MYCOMPANY.com>
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.
Portions of this message may be unreadable without a MIME-capable mail program.

--9B095B5ADSN=_01CB80F784A06CAD00003089domainA.com
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

ANOTHERUser@SOMEotherDOMAIN.ltd.uk




--9B095B5ADSN=_01CB80F784A06CAD00003089MYCOMPANY.com
Content-Type: message/delivery-status

Reporting-MTA: dns;MYCOMPANY.com
Received-From-MTA: dns;User
Arrival-Date: Thu, 11 Nov 2010 22:23:26 -0500

Final-Recipient: rfc822;ANOTHERUser@SOMEotherDOMAIN.ltd.uk
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 This message contains malware (Heuristics.Phishing.Email.SSL-Spoof)

--9B095B5ADSN=_01CB80F784A06CAD00003089domainA.com
Content-Type: message/rfc822

Received: from User ([71.16.72.***]) by MYCOMPANY.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 11 Nov 2010 22:23:26 -0500
Reply-To: <no-reply@SOMEDOMAIN.itt>
From: "CartaSi, Inc"<USER@SOMEDOMAIN.it>
Subject: S***********al 12/11/2010
Date: Thu, 11 Nov 2010 22:23:26 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0073_01C2A9A6.07851598"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: USER@SOMEDOMAIN.it
Message-ID: <DGSBS01YGoVEmK3xvp60000088a@MYCOMPANY.com>
X-OriginalArrivalTime: 12 Nov 2010 03:23:26.0678 (UTC) FILETIME=[F84C7F60:01CB8218]

This is a multi-part message in MIME format.

------=_NextPart_000_0073_01C2A9A6.07851598
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit

.
------=_NextPart_000_0073_01C2A9A6.07851598
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit




Page: [1]