Re: Strange SPAM with no tracks...!?

It's a common trick - a spammer uses your email address in mail from, from, or return-path headers. SMTP has no built-in security so header spoofing is easy. As a result, the destination domain generates a NDR for the recipient in your domain whose email address was spoofed in headers.

If the destination domain did a SenderID check and you had SPF records published, it would have been easy to determine that the sending host is not authorized to send for your domain and this sort of thing can be avoided.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
------------------------------


"Per Hagstrom" <poh@xxxxxxxxxxxxxxxxx> wrote in message news:OdN74cAmHHA.4768@xxxxxxxxxxxxxxxxxxxxxxx
I got a really strange email, which I don't seem to be able to track even...!?

A person in our company got this System Administrator Undeliverable email:

***
Your message did not reach some or all of the intended recipients.
Subject: job is profitable Sl
Sent: 5/15/2007 9:36 AM
The following recipient(s) could not be reached:
ssanders@xxxxxxxxxxxxxxx on 5/14/2007 8:40 AM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
< mail.co.sutter.ca.us #5.7.1 smtp; 550 5.7.1 Message content rejected, UBE, id=07990-02-11>
***

We are not co.sutter.ca.us, so everything above is exactly what it says.
One additional strange thing is the time difference, 5/15 and 5/14.
Searching for co.sutter.ca.us in the Exchange SMTP logs gives me no hits at all.
If I hit the Send Again button, it gives an error, telling me there is no information available for the original email. Also, the person that got this email never sent any emails to co.sutter.ca.us.
I can't go to View-Options, which is normal when you have an internal email like a real System Administrator email, so I guess it's not a "normal" spam trick, where somebody is trying to impersonate the System Administrator...?

OK, I did some more research. I used the Message Tracking Center, and was actually able to find the email there coming in 5/14 from postamster@xxxxxxxxxxxxxxxx Going back to the SMTP logs shows this with an empty from ( FROM:<> 250 ).

I'm just really confused and kind of concerned how this happened. Anyone with any clue?

FYI, we do have a Tumbleweed device in front of the Exchange server.

BIG TIA!!

/ Per





.

Loading