RE: Log to find Internal Originator
From: Lee Li [MSFT] (v-leeli_at_online.microsoft.com)
Date: 11/12/04
- Next message: Pavlos Gerardos: "Re: Help in creating a Distribution List in GAL (or something like"
- Previous message: mrbello: "RE: host unreachable after recent Windows Update"
- In reply to: Deuce Sapp: "Log to find Internal Originator"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 12 Nov 2004 06:30:13 GMT
Dear Deuce,
Thank you for posting here.
Based on my knowledge, the key point here is to verify whether the mail is
sent by the real user. You could contact the real user who received the
Non-Delivery Report (NDR), and verify whether the mail is sent by him. You
can also enable SMTP Log to verify whether the mail is sent by your
Exchange Server.
1. Start Exchange System Manager.
2. Expand "Servers\<Your_ Server_Name>\Protocols\SMTP".
3. Right-click both "SMTP Virtual Server" once a time, and then click
"Properties".
4. Make sure "Enable Logging" is checked, and use "W3C Extended Log File
Format".
5. Click Properties. On General tab, you can find the path for the logfile.
6. On Advanced tab, check all check boxes.
7. Click "Apply", and then click "OK" to close "Logging Properties".
8. Click "Apply", and then click "OK" to save your settings and close "SMTP
Virtual Server Properties".
If the mail is not sent by the real user, the behavior happens due to one
of the following causes.
1. Virus on Outlook Client Side.
2. Reverse NDR attack by spammer.
So first please have a scanning on Outlook Client first, then verify
whether the issue disappears. If the issue persists, I am afraid the issue
is caused by Reverse NDR attack by spammer. I am afraid that the mails are
sent by spammer using third party mail server. Based on my knowledge, the
behavior you encountered is a new means for spammers to avoid filters built
into many systems. They take advantage of a third party mail system sending
of a non-delivery report (NDR) when a message cannot be delivered as
addressed and returns the original contents. Since this follows the RFC
standard, most all mail servers will function this way. This is what is
called a "Reverse NDR attack" (RNDR).
First I would like to explain the detailed situation for RDNR by SMTP
Protocol RFC standard.
Here I assume UserB@anyDomain.com is the recipient which is invalid and
UserA@yourDomain.com is your mailbox as the sender.
1. Spammer telnet any third party Mail Server by port 25, which allows
reply by the format as following.
Telnet <third party Mail Server> 25
2. Spammer uses your mailbox UserA@yourDomain.com as mail sender to attack
your mailbox by the format as following.
Mail from: UserA@yourDomain.com
3. Spammer plans UserB@anyDomain.com as invalid recipient by the format as
following.
Rcpt to: UserB@anyDomain.com
4. Input mail content and quit this session.
5. When mail reaches Domain anyDomain.com, his mail server will find the
UserB@anyDomain.com doesnĄ¯t exist in the domain, and will return a DNR
report to the sender UserA@yourDomain.com.
ThatĄ¯s why you receive NDR report for the mails you donĄ¯t send. In this
case, the behavior follows the RFC standard, and spam sender/attacker makes
use of third party unknown mail server in Internet relay the spam e-mails
where the authentication is not needed for this email server, so based on
such mechanism, I am afraid there isn't efficient way to stop such action
currently because these spam e-mails are not going through your Exchange
server. Based on my knowledge, the issue happens to most companies
recently, even in Microsoft regardless of what mail servers they are using
now. More info here:
304897 XIMS: Microsoft SMTP Servers May Seem to Accept and Relay E-Mail
http://support.microsoft.com/?id=304897
Hope this helps. Please let me know if you have any other concerns or
questions. Thanks and have a nice day!
Thanks & Regards,
Lee Li
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Deuce Sapp" <dssapp@atlasmachine.com>
| Subject: Log to find Internal Originator
| Date: Thu, 11 Nov 2004 12:03:07 -0500
| Lines: 15
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <OBF7SBByEHA.2752@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.exchange.admin
| NNTP-Posting-Host: 12.44.211.20
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.exchange.admin:455282
| X-Tomcat-NG: microsoft.public.exchange.admin
|
| What Diagnostic Logging service should I turn on to find out who is
| originating an SMTP message that fails? I have a user receiveing System
| Administrator messages back regarding failed delivery because he is the
| "FROM" address, but I'm not 100% sure they are actually coming from his
| computer.
|
| It is the message that says Re: Hi and has ;) as the body, if anyone is
| familiar with that.
|
| Thanks.
|
|
| Deuce
|
|
|
- Next message: Pavlos Gerardos: "Re: Help in creating a Distribution List in GAL (or something like"
- Previous message: mrbello: "RE: host unreachable after recent Windows Update"
- In reply to: Deuce Sapp: "Log to find Internal Originator"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
