Re: Strange SPAM with no tracks...!?
- From: oz.ozugurlu <ozozugurlu@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 16 May 2007 21:08:09 -0700
check this out
"Bounces are messages, officially called non-delivery reports (NDR) or
delivery status notifications (DSN), that are generated by a mail server to
report on the delivery status of an email message.
It is becoming increasingly popular for aggressive Real-time Blocking Lists
(RBLs) to blacklist mail servers for sending out NDRs to bogus addresses
(known has "backscatter")."
http://smtp25.blogspot.com/2007/05/i-backscatered-you.html
best
oz
--
Oz Ozugurlu
Systems Engineer
MCSE 2003| M+| S+
MCDST | Security+|Project+
oz@xxxxxxxxxx
http://smtp25.blogspot.com (Blog)
"Bharat Suneja [MVP]" wrote:
It's a common trick - a spammer uses your email address in mail from, from,.
or return-path headers. SMTP has no built-in security so header spoofing is
easy. As a result, the destination domain generates a NDR for the recipient
in your domain whose email address was spoofed in headers.
If the destination domain did a SenderID check and you had SPF records
published, it would have been easy to determine that the sending host is not
authorized to send for your domain and this sort of thing can be avoided.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
exchangepedia.com/blog
------------------------------
"Per Hagstrom" <poh@xxxxxxxxxxxxxxxxx> wrote in message
news:OdN74cAmHHA.4768@xxxxxxxxxxxxxxxxxxxxxxx
I got a really strange email, which I don't seem to be able to track
even...!?
A person in our company got this System Administrator Undeliverable email:
***
Your message did not reach some or all of the intended recipients.
Subject: job is profitable Sl
Sent: 5/15/2007 9:36 AM
The following recipient(s) could not be reached:
ssanders@xxxxxxxxxxxxxxx on 5/14/2007 8:40 AM
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
< mail.co.sutter.ca.us #5.7.1 smtp; 550 5.7.1 Message content
rejected, UBE, id=07990-02-11>
***
We are not co.sutter.ca.us, so everything above is exactly what it says.
One additional strange thing is the time difference, 5/15 and 5/14.
Searching for co.sutter.ca.us in the Exchange SMTP logs gives me no hits
at all.
If I hit the Send Again button, it gives an error, telling me there is no
information available for the original email. Also, the person that got
this email never sent any emails to co.sutter.ca.us.
I can't go to View-Options, which is normal when you have an internal
email like a real System Administrator email, so I guess it's not a
"normal" spam trick, where somebody is trying to impersonate the System
Administrator...?
OK, I did some more research. I used the Message Tracking Center, and was
actually able to find the email there coming in 5/14 from
postamster@xxxxxxxxxxxxxxxx Going back to the SMTP logs shows this with an
empty from ( FROM:<> 250 ).
I'm just really confused and kind of concerned how this happened. Anyone
with any clue?
FYI, we do have a Tumbleweed device in front of the Exchange server.
BIG TIA!!
/ Per
- References:
- Strange SPAM with no tracks...!?
- From: Per Hagstrom
- Re: Strange SPAM with no tracks...!?
- From: Bharat Suneja [MVP]
- Strange SPAM with no tracks...!?
- Prev by Date: Delete All Messages 90 days or older Exchange 2007 Std
- Next by Date: Re: Question on WMI Classes in Exchange 2007 and 2003...Kinldy help
- Previous by thread: Re: Strange SPAM with no tracks...!?
- Next by thread: Exchange server at remote office?
- Index(es):
Relevant Pages
|
