Re: Unexplain-able Undeliverable messages being generated

It's not a standard NDR. It doesn't appear to come from another mail
server. If you open it you get the option to "send again". It lists all
the people it tried to send to and depending on the server for the domains
it sent to gives various "user unknown" or "account unknown" error messages.

It's as if someone is replying from this mailbox, but no one is.

Thanks,
Mike

"Matthew Byrd [MSFT]" <matbyrd@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:umtJqWNVFHA.3584@xxxxxxxxxxxxxxxxxxxxxxx
> Hi Mike,
>
> Is the subject "Undeliverable: Subject" but the message body look like a
> real piece of email or does the message body look like an NDR? It is
> possible that the Spammers are using the standard NDR subject line as a
> way to get you to look at the email. Then you Email filtering software
> detects it as spam and sends it to your Spam account.
>
> If the email is being generated by Exchange then it will be a standard NDR
> in which case it will have an NDR code. That code will indicate why the
> NDR was generated it will also indicate before the code what server
> generated the NDR. This information can help you narrow down where the
> message is coming from.
>
> Hope this Helps,
> --
> Matthew Byrd
> Microsoft PSS
>
> Run Microsoft Exchange Server Best Practices Analyzer Today
> http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Mike" <mike008us@xxxxxxxxx> wrote in message
> news:e6kJXSNVFHA.3432@xxxxxxxxxxxxxxxxxxxxxxx
>> Yes, but if they are coming from external mail servers, they're subjects
>> would get modified by the 3rd party that scans the mail for spam. Also,
>> I'd expect those "Undeliverable: subject" messages would be going to
>> other users in the domain. Why would the only account that gets spoofed
>> is the spam@xxxxxxxxxx? It's definitley not published anywhere. And
>> wouldn't I be able to view a header on any message that came from an
>> external mail server.
>>
>> The messages I'm referring to follow this format "Undeliverable:
>> subject". When opened you cannot view the header(by clicking
>> view>options). You can hit "send again", which indicates or seems like
>> the Exchange server attempted delivery once. Is it possible for this
>> type of message to be forged or spoofed and how could it only happen to
>> one mailbox(spam@xxxxxxxxxx).
>>
>> Thanks,
>> Mike
>>
>>
>> "Matthew Byrd [MSFT]" <matbyrd@xxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:OsHDJJNVFHA.3696@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi Mike,
>>>
>>> I maybe that someone out there is spoofing your domain. Basically they
>>> are sending spam email to other email users in the world using your
>>> domain as an originating domain. There is nothing in the SMTP protocol
>>> to prevent a user from doing this. So what you maybe seeing is the NDRs
>>> that are being generated when these emails are bound for non-existent
>>> users coming back to your domain as they are supposed to. These are
>>> just another form of Spam and can be safely ignored.
>>>
>>> Hope this Helps,
>>> --
>>> Matthew Byrd
>>> Microsoft PSS
>>>
>>> Run Microsoft Exchange Server Best Practices Analyzer Today
>>> http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
>>>
>>> When responding to posts, please "Reply to Group" via your newsreader so
>>> that others may learn and benefit from your issue.
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Mike" <mike008us@xxxxxxxxx> wrote in message
>>> news:%23qfxfwMVFHA.612@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi,
>>>>
>>>> I have an odd situation where I can't figure out where "Undeliverable"
>>>> messages are being generated in a shared mailbox.
>>>>
>>>> My setup. A SBS 2003 server with a single domain, 3rd party service
>>>> where all mail for domain is sent to and scanned for virus and
>>>> spam(viruses are dropped, spam is forwarded to spam@xxxxxxxxxx),
>>>> firewall only accepts SMTP from 3rd party then delivers to server.
>>>> This is still working and had been working great up until a couple
>>>> weeks ago when the amount of spam started increasing by an incredible
>>>> multitude. While I don't care about the increased level of spam that's
>>>> being forwarded through by 3rd party service, it could be related to
>>>> this issue. An account on the server is setup with the name spam and
>>>> the box is shared to 2 users, where 1 of them checks the spam box for
>>>> legitimate email that got through.
>>>>
>>>> The issue exists in that spam box where now it's not just spam, but
>>>> there are messages from "System Administraor" with subject
>>>> "Undeliverable: whatever the subject is", with the option to send again
>>>> and since it's not a delivered message there's no header. The person
>>>> checking the spam is not replying, so how is it that it appears that
>>>> there is a delivery failure?
>>>>
>>>> I've check the account spam and no auto-reply is setup. I also enabled
>>>> a feature with the 3rd party to modify the subject on spam messages so
>>>> I could make sure the "Undeliverables" were really being generated
>>>> internally, and sure enought the "Undeliverables" do not have a
>>>> modified subject. I thought a PC on the LAN may have spyware that's
>>>> doing this, but how would the spyware know to send messages on behalf
>>>> of their spam account, because no one else in the domain is getting the
>>>> undeliverables in their boxes. I also don't see any of these messages
>>>> being in the delayed SMTP queues.
>>>>
>>>> Please help!
>>>>
>>>> Thanks,
>>>> Mike
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Am I an Emule Server?
    ... I have Recipient Filtering turned on (and SMTP tarpitting set ... and the NDR I got back was from Yahoo's mail server as expected. ... analysis of where our spam came from. ...
    (microsoft.public.windows.server.sbs)
  • Re: Unexplain-able Undeliverable messages being generated
    ... real piece of email or does the message body look like an NDR? ... it as spam and sends it to your Spam account. ... Run Microsoft Exchange Server Best Practices Analyzer Today ... > would get modified by the 3rd party that scans the mail for spam. ...
    (microsoft.public.exchange2000.general)
  • Re: event id 3018 Spamproblem
    ... alle ndr von nichtexistenten adressen bekommt aber mein server. ... "Oliver Schluga" wrote: ... > eine offensichtliche Spam Mail von deinem Groupshield geblockt wurde. ...
    (microsoft.public.de.exchange)
  • Re: Exchange Queues (SBS2003)
    ... Exchange mailboxes are receiving NDR's for mail that they did not send. ... > In the NDR we can see the IP address of the server that originally sent the ... It is not their Exchange server, and in fact the IP address changes ... > spoofing legitimate email addresses from the customer's domain in SPAM mail. ...
    (microsoft.public.windows.server.sbs)
  • RE: Getting swamped with NDRs. How do I stop them?
    ... is using non-delivery report (NDR), ... Start the Exchange System Manager program. ... Expand Servers, expand your Exchange server, and click Queues. ... Click the Recipient Filtering tab, click to select the Filter recipients ...
    (microsoft.public.windows.server.sbs)