Tracing spam in headers. Possible NDR attack. (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security


dapupard -> Tracing spam in headers. Possible NDR attack. (12.Nov.2010 1:00:02 PM)


Server is getting hit with lots of spam. It appears mail is coming from and going to while our domain is So first our server sends spam out and then it tries again to send out an NDR. All the while neither the original sender or recipient appears to be from our domain.

I have had all users reset their passwords today. Server is not an open relay. IMF and recipient filters are turned on in both locations. "Filter recipients who are not in the directory" is enabled. I have no idea how this is happening. I can delete the queue folder and the server returns to normal for a few days, but then we get hit with a ton of spam over night.

Windows server 2003 SP2 with Exchange 2003 SP2. No third party spam filters. See this message header. You can see the original message and the NDR in this header.

Date: Fri, 12 Nov 2010 02:20:10 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
Message-ID: <>
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.
Portions of this message may be unreadable without a MIME-capable mail program.
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.
Content-Type: message/delivery-status

Reporting-MTA: dns;
Received-From-MTA: dns;User
Arrival-Date: Thu, 11 Nov 2010 22:23:26 -0500

Final-Recipient: rfc822;
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 This message contains malware (Heuristics.Phishing.Email.SSL-Spoof)
Content-Type: message/rfc822

Received: from User ([71.16.72.***]) by with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 11 Nov 2010 22:23:26 -0500
Reply-To: <no-reply@SOMEDOMAIN.itt>
From: "CartaSi, Inc"<>
Subject: S***********al 12/11/2010
Date: Thu, 11 Nov 2010 22:23:26 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <>
X-OriginalArrivalTime: 12 Nov 2010 03:23:26.0678 (UTC) FILETIME=[F84C7F60:01CB8218]

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Content-Type: text/html;
Content-Transfer-Encoding: 7bit

Page: [1]