• Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Tracing spam in headers. Possible NDR attack.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Tracing spam in headers. Possible NDR attack. Page: [1]
Message << Older Topic   Newer Topic >>
Tracing spam in headers. Possible NDR attack. - 12.Nov.2010 1:00:02 PM   


Posts: 1
Joined: 12.Nov.2010
Status: offline

Server is getting hit with lots of spam. It appears mail is coming from domainB.com and going to domainC.com while our domain is domainA.com. So first our server sends spam out and then it tries again to send out an NDR. All the while neither the original sender or recipient appears to be from our domain.

I have had all users reset their passwords today. Server is not an open relay. IMF and recipient filters are turned on in both locations. "Filter recipients who are not in the directory" is enabled. I have no idea how this is happening. I can delete the queue folder and the server returns to normal for a few days, but then we get hit with a ton of spam over night.

Windows server 2003 SP2 with Exchange 2003 SP2. No third party spam filters. See this message header. You can see the original message and the NDR in this header.

From: postmaster@MYCOMPANY.com
Date: Fri, 12 Nov 2010 02:20:10 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
Message-ID: <bUMjA2QUg000024ea@MYCOMPANY.com>
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.
Portions of this message may be unreadable without a MIME-capable mail program.

Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.


Content-Type: message/delivery-status

Reporting-MTA: dns;MYCOMPANY.com
Received-From-MTA: dns;User
Arrival-Date: Thu, 11 Nov 2010 22:23:26 -0500

Final-Recipient: rfc822;ANOTHERUser@SOMEotherDOMAIN.ltd.uk
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 This message contains malware (Heuristics.Phishing.Email.SSL-Spoof)

Content-Type: message/rfc822

Received: from User ([71.16.72.***]) by MYCOMPANY.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 11 Nov 2010 22:23:26 -0500
Reply-To: <no-reply@SOMEDOMAIN.itt>
From: "CartaSi, Inc"<USER@SOMEDOMAIN.it>
Subject: S***********al 12/11/2010
Date: Thu, 11 Nov 2010 22:23:26 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <DGSBS01YGoVEmK3xvp60000088a@MYCOMPANY.com>
X-OriginalArrivalTime: 12 Nov 2010 03:23:26.0678 (UTC) FILETIME=[F84C7F60:01CB8218]

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Content-Type: text/html;
Content-Transfer-Encoding: 7bit
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Tracing spam in headers. Possible NDR attack. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts

Follow TechGenix on Twitter