Exchange Server Forums

Getting Undeliverable: Returned mail: User unknown on Mail We Never Sent

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2000] >> General >> Getting Undeliverable: Returned mail: User unknown on Mail We Never Sent

Page: [1]

Message

<< Older Topic Newer Topic >>

Getting Undeliverable: Returned mail: User unknown on M... - 16.Sep.2003 7:14:00 PM

Scuba Steve

Posts: 62
Joined: 13.Aug.2003
From: Oldsmar, FL
Status: offline

The system administrator's account is getting swamped by mail with the subject Undeliverable: Returned mail: User unknown on mail that (we think) no one in our organization has ever sent.

Here is the message body:

quote:

-----Original Message-----
From: System Administrator
Sent: Tuesday, September 16, 2003 12:01 PM
To: cuttie1203@aol.com; ddentrpris@aol.com
Subject: Undeliverable: Returned mail: User unknown

Your message did not reach some or all of the intended recipients.

Subject: Re: get prescription meds to your door - no prior prescription needed ulr sgi iryubprg po pm llyamruqvgyldt qbjwksleuxuv htlfm r gjzh hltenwnmobdmgkn udxxw wzck
Sent: 9/16/2003 11:03 AM

The following recipient(s) could not be reached:

cuttie1203@aol.com on 9/16/2003 11:19 AM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
< str-d10.mail.aol.com #5.1.1 SMTP; 550 MAILBOX NOT FOUND>

ddentrpris@aol.com on 9/16/2003 11:19 AM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
< str-d10.mail.aol.com #5.1.1 SMTP; 550 MAILBOX NOT FOUND>

How can I be sure that someone, or something is sending the message within the orgainzation?
I am worried that someone is using our Exchange Server as a spam server. So I checked our relay settings and all seems to be well. Here are the settings:

Only the List Below:
Server's internal ip address.
Server's external ip address.
Allow all computer which successfully authenticate to relay, regardless of the settings above.

How can I find who is sending these messages and block them?

Any help on this topic would be greatly appreciated! "[Smile]"

Thanks,

****

Post #: 1

Featured Links*

RE: Getting Undeliverable: Returned mail: User unknown ... - 17.Sep.2003 10:34:00 PM

ksoliz

Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline

You need to take a look at this article...

http://www.msexchange.org/tutorials/MF005.html

Here is one thing I over looked when I first setup my exchange server.

On the address tab of the SMTP connector... Make sure you do not have the �Allow messages to be relayed to these domains� checked, as this will override the settings on your SMTP Virtual server and you will be an �Open� Relay.

That article has a few links to some testing website that will test your server for an open relay. There is also a manual test in the article.

Also make sure SMTP loggin is enabled if you are wanting to track access

(in reply to Scuba Steve)

Post #: 2

RE: Getting Undeliverable: Returned mail: User unknown ... - 18.Sep.2003 5:52:00 PM

Scuba Steve

Posts: 62
Joined: 13.Aug.2003
From: Oldsmar, FL
Status: offline

Thnaks for the reply, I went through the article and all appears that we are not an "Open Relay."

So what other reasons could there be for getting these mysterious e-mails? [Confused]

We really get alot of them.

(in reply to Scuba Steve)

Post #: 3

RE: Getting Undeliverable: Returned mail: User unknown ... - 19.Sep.2003 3:26:00 AM

ksoliz

Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline

If you made sure your setup is identical to the link I posted then I can only assume you are having trouble cause of the setting below.

"Allow all computers which successfully authenticate to relay, regardless of the settings above."

Either someone inside is generating the SPAM or someone outside is connecting sending mail through your server with a valid username/password. I say that last part because I noticed you have your server's external IP in the granted list...curious, why are you doing this?

Also, do you have SMTP logging enabled? You need to to get a clear idea of who/what is coming and going through the mail server. Make sure and check the extended logging properties for what is being logged.

(in reply to Scuba Steve)

Post #: 4

RE: Getting Undeliverable: Returned mail: User unknown ... - 19.Sep.2003 2:30:00 PM

Scuba Steve

Posts: 62
Joined: 13.Aug.2003
From: Oldsmar, FL
Status: offline

quote:
Originally posted by Kevin S.:
Either someone inside is generating the SPAM or someone outside is connecting sending mail through your server with a valid username/password. I say that last part because I noticed you have your server's external IP in the granted list...curious, why are you doing this?

I am not sure why I am doing this...becuase Small Business 2000 setup set it up like that...Should I remove it? Why is it on there now? What would happen if I removed it?

quote:
Originally posted by Kevin S.:
Also, do you have SMTP logging enabled? You need to to get a clear idea of who/what is coming and going through the mail server. Make sure and check the extended logging properties for what is being logged.

Logging was enabled, but only the default extended logging features were selected. I went ahead and selected them all.

Is there a log parser that would make reading these logs eaiser? Or like a software that would review them like some web log software does?

I thank you very much, you are a big help! [Big Grin]

(in reply to Scuba Steve)

Post #: 5

RE: Getting Undeliverable: Returned mail: User unknown ... - 19.Sep.2003 11:30:00 PM

ksoliz

Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline

Well I would need to know more about your network setup to tell you if you needed that external IP or not. I would assume you don't. The reason it might be an issue is someone might be able to make it appear messages are being relayed from your external IP, externally [Smile]

For example, In my small business network we have business class cable setup with a router doing NAT. Our exchange server is setup only with "Granted" premissions to the internal IP address. There is no need for me to put the external IP on the server. Memebers of the domain will be able to "relay" by default.

So a lot depends on your setup...

As far as the log parser goes... I would check out Log Parser 2.0 from MS. I think you will find it does just about everything you need.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=8cde4028-e247-45be-bab9-ac851fc166a4

(in reply to Scuba Steve)

Post #: 6

RE: Getting Undeliverable: Returned mail: User unknown ... - 20.Sep.2003 12:44:00 AM

Egiganet

Posts: 135
Joined: 10.Dec.2002
From: Michigan
Status: offline

Your settings appear to be fine. Without seeing the full header information you can't tell if the messages are originating from your network or not. Someone is probably spoofing your address, that was one of the annoyances with the sobig.f virus.

-Andy

(in reply to Scuba Steve)

Post #: 7

RE: Getting Undeliverable: Returned mail: User unknown ... - 21.Sep.2003 6:15:00 AM

ksoliz

Posts: 65
Joined: 16.Sep.2003
From: US
Status: offline

Steve, really sounds like you are experiencing a SMTP auth attack. Someone is using an account to gain access externally. Users using weak passwords make this a big risk. There is another post in the Security section talking about this.

Take a look at this link for details.

http://www.vamsoft.com/orf/authattack.asp

(in reply to Scuba Steve)

Post #: 8