Tracing spam in headers. Possible NDR attack.

Tracing spam in headers. Possible NDR attack. (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security

Message

dapupard -> Tracing spam in headers. Possible NDR attack. (12.Nov.2010 1:00:02 PM)
Hello, Server is getting hit with lots of spam. It appears mail is coming from domainB.com and going to domainC.com while our domain is domainA.com. So first our server sends spam out and then it tries again to send out an NDR. All the while neither the original sender or recipient appears to be from our domain. I have had all users reset their passwords today. Server is not an open relay. IMF and recipient filters are turned on in both locations. "Filter recipients who are not in the directory" is enabled. I have no idea how this is happening. I can delete the queue folder and the server returns to normal for a few days, but then we get hit with a ton of spam over night. Windows server 2003 SP2 with Exchange 2003 SP2. No third party spam filters. See this message header. You can see the original message and the NDR in this header. From: postmaster@MYCOMPANY.com To: USER@SOMEDOMAIN.it Date: Fri, 12 Nov 2010 02:20:10 -0500 MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01CB80F784A06CAD00003089MYCOMPANY.com" X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000 Message-ID: <bUMjA2QUg000024ea@MYCOMPANY.com> Subject: Delivery Status Notification (Failure) This is a MIME-formatted message. Portions of this message may be unreadable without a MIME-capable mail program. --9B095B5ADSN=_01CB80F784A06CAD00003089domainA.com Content-Type: text/plain; charset=unicode-1-1-utf-7 This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. ANOTHERUser@SOMEotherDOMAIN.ltd.uk --9B095B5ADSN=_01CB80F784A06CAD00003089MYCOMPANY.com Content-Type: message/delivery-status Reporting-MTA: dns;MYCOMPANY.com Received-From-MTA: dns;User Arrival-Date: Thu, 11 Nov 2010 22:23:26 -0500 Final-Recipient: rfc822;ANOTHERUser@SOMEotherDOMAIN.ltd.uk Action: failed Status: 5.5.0 Diagnostic-Code: smtp;550 This message contains malware (Heuristics.Phishing.Email.SSL-Spoof) --9B095B5ADSN=_01CB80F784A06CAD00003089domainA.com Content-Type: message/rfc822 Received: from User ([71.16.72.*]) by MYCOMPANY.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 11 Nov 2010 22:23:26 -0500 Reply-To: <no-reply@SOMEDOMAIN.itt> From: "CartaSi, Inc"<USER@SOMEDOMAIN.it> Subject: S*********al 12/11/2010 Date: Thu, 11 Nov 2010 22:23:26 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0073_01C2A9A6.07851598" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Return-Path: USER@SOMEDOMAIN.it Message-ID: <DGSBS01YGoVEmK3xvp60000088a@MYCOMPANY.com> X-OriginalArrivalTime: 12 Nov 2010 03:23:26.0678 (UTC) FILETIME=[F84C7F60:01CB8218] This is a multi-part message in MIME format. ------=_NextPart_000_0073_01C2A9A6.07851598 Content-Type: text/plain; charset="Windows-1251" Content-Transfer-Encoding: 7bit . ------=_NextPart_000_0073_01C2A9A6.07851598 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit

Page: [1]