Re: Unexplain-able Undeliverable messages being generated
- From: "Matthew Byrd [MSFT]" <matbyrd@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 11 May 2005 14:37:23 -0400
Mike,
Tracking the message with Message tracking will reveal where it originated
in the Exchange Environment by following its path. If the first place you
see it being submitted to SMTP in your inbound internet mail server then
that is where it originated from. So it is safe to assume that if all of
these show that behavior they are originating from the internet. You would
need to do a netmon or SMTP log to dig further than that.
If the first place you are seeing them appear is an internal Exchange server
then you would want to look for a pattern. Goto that server and attempt
with SMTP logging to determine who is submitting them to the server, or if
they are being generated by the server. Would look to track the original
message that we generated the NDR off of if it is being generated on an
internal server.
Hope this Helps,
--
Matthew Byrd
Microsoft PSS
Run Microsoft Exchange Server Best Practices Analyzer Today
http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Mike" <mike008us@xxxxxxxxx> wrote in message
news:en6HWYlVFHA.3716@xxxxxxxxxxxxxxxxxxxxxxx
>I actually did enable message tracking as the first step, however I don't
>believe these messages appeared in there. For the messages that do appear
>in there, is there a way to determine where they came from other than what
>it says is the sender? I only really saw how the were processed by
>exchange, but none of the processes tell you anything more.
>
> Thanks,
> Mike
>
> "Matthew Byrd [MSFT]" <matbyrd@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:%23QBehAlVFHA.132@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi Mike,
>>
>> About the only other suggestion that I can make via the NewsGroups is
>> that you try to track the message with message tracking. This may help
>> reveal to you where the message is originating from and thus help to
>> troubleshoot it. Otherwise I would recommend opening a case with
>> Microsoft in order to get this resolved or ignoring these messages as
>> Spam.
>>
>> Hope this Helps,
>> --
>> Matthew Byrd
>> Microsoft PSS
>>
>> Run Microsoft Exchange Server Best Practices Analyzer Today
>> http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Mike" <mike008us@xxxxxxxxx> wrote in message
>> news:OQAdC$OVFHA.1796@xxxxxxxxxxxxxxxxxxxxxxx
>>> It's not a standard NDR. It doesn't appear to come from another mail
>>> server. If you open it you get the option to "send again". It lists
>>> all the people it tried to send to and depending on the server for the
>>> domains it sent to gives various "user unknown" or "account unknown"
>>> error messages.
>>>
>>> It's as if someone is replying from this mailbox, but no one is.
>>>
>>> Thanks,
>>> Mike
>>>
>>> "Matthew Byrd [MSFT]" <matbyrd@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>> news:umtJqWNVFHA.3584@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi Mike,
>>>>
>>>> Is the subject "Undeliverable: Subject" but the message body look like
>>>> a real piece of email or does the message body look like an NDR? It is
>>>> possible that the Spammers are using the standard NDR subject line as a
>>>> way to get you to look at the email. Then you Email filtering software
>>>> detects it as spam and sends it to your Spam account.
>>>>
>>>> If the email is being generated by Exchange then it will be a standard
>>>> NDR in which case it will have an NDR code. That code will indicate
>>>> why the NDR was generated it will also indicate before the code what
>>>> server generated the NDR. This information can help you narrow down
>>>> where the message is coming from.
>>>>
>>>> Hope this Helps,
>>>> --
>>>> Matthew Byrd
>>>> Microsoft PSS
>>>>
>>>> Run Microsoft Exchange Server Best Practices Analyzer Today
>>>> http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
>>>>
>>>> When responding to posts, please "Reply to Group" via your newsreader
>>>> so
>>>> that others may learn and benefit from your issue.
>>>>
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>>
>>>> "Mike" <mike008us@xxxxxxxxx> wrote in message
>>>> news:e6kJXSNVFHA.3432@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Yes, but if they are coming from external mail servers, they're
>>>>> subjects would get modified by the 3rd party that scans the mail for
>>>>> spam. Also, I'd expect those "Undeliverable: subject" messages would
>>>>> be going to other users in the domain. Why would the only account
>>>>> that gets spoofed is the spam@xxxxxxxxxx? It's definitley not
>>>>> published anywhere. And wouldn't I be able to view a header on any
>>>>> message that came from an external mail server.
>>>>>
>>>>> The messages I'm referring to follow this format "Undeliverable:
>>>>> subject". When opened you cannot view the header(by clicking
>>>>> view>options). You can hit "send again", which indicates or seems
>>>>> like the Exchange server attempted delivery once. Is it possible for
>>>>> this type of message to be forged or spoofed and how could it only
>>>>> happen to one mailbox(spam@xxxxxxxxxx).
>>>>>
>>>>> Thanks,
>>>>> Mike
>>>>>
>>>>>
>>>>> "Matthew Byrd [MSFT]" <matbyrd@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>> news:OsHDJJNVFHA.3696@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> Hi Mike,
>>>>>>
>>>>>> I maybe that someone out there is spoofing your domain. Basically
>>>>>> they are sending spam email to other email users in the world using
>>>>>> your domain as an originating domain. There is nothing in the SMTP
>>>>>> protocol to prevent a user from doing this. So what you maybe seeing
>>>>>> is the NDRs that are being generated when these emails are bound for
>>>>>> non-existent users coming back to your domain as they are supposed
>>>>>> to. These are just another form of Spam and can be safely ignored.
>>>>>>
>>>>>> Hope this Helps,
>>>>>> --
>>>>>> Matthew Byrd
>>>>>> Microsoft PSS
>>>>>>
>>>>>> Run Microsoft Exchange Server Best Practices Analyzer Today
>>>>>> http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
>>>>>>
>>>>>> When responding to posts, please "Reply to Group" via your newsreader
>>>>>> so
>>>>>> that others may learn and benefit from your issue.
>>>>>>
>>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>>> rights.
>>>>>>
>>>>>> "Mike" <mike008us@xxxxxxxxx> wrote in message
>>>>>> news:%23qfxfwMVFHA.612@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have an odd situation where I can't figure out where
>>>>>>> "Undeliverable" messages are being generated in a shared mailbox.
>>>>>>>
>>>>>>> My setup. A SBS 2003 server with a single domain, 3rd party service
>>>>>>> where all mail for domain is sent to and scanned for virus and
>>>>>>> spam(viruses are dropped, spam is forwarded to spam@xxxxxxxxxx),
>>>>>>> firewall only accepts SMTP from 3rd party then delivers to server.
>>>>>>> This is still working and had been working great up until a couple
>>>>>>> weeks ago when the amount of spam started increasing by an
>>>>>>> incredible multitude. While I don't care about the increased level
>>>>>>> of spam that's being forwarded through by 3rd party service, it
>>>>>>> could be related to this issue. An account on the server is setup
>>>>>>> with the name spam and the box is shared to 2 users, where 1 of them
>>>>>>> checks the spam box for legitimate email that got through.
>>>>>>>
>>>>>>> The issue exists in that spam box where now it's not just spam, but
>>>>>>> there are messages from "System Administraor" with subject
>>>>>>> "Undeliverable: whatever the subject is", with the option to send
>>>>>>> again and since it's not a delivered message there's no header. The
>>>>>>> person checking the spam is not replying, so how is it that it
>>>>>>> appears that there is a delivery failure?
>>>>>>>
>>>>>>> I've check the account spam and no auto-reply is setup. I also
>>>>>>> enabled a feature with the 3rd party to modify the subject on spam
>>>>>>> messages so I could make sure the "Undeliverables" were really being
>>>>>>> generated internally, and sure enought the "Undeliverables" do not
>>>>>>> have a modified subject. I thought a PC on the LAN may have spyware
>>>>>>> that's doing this, but how would the spyware know to send messages
>>>>>>> on behalf of their spam account, because no one else in the domain
>>>>>>> is getting the undeliverables in their boxes. I also don't see any
>>>>>>> of these messages being in the delayed SMTP queues.
>>>>>>>
>>>>>>> Please help!
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Mike
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Unexplain-able Undeliverable messages being generated
- From: Mike
- Re: Unexplain-able Undeliverable messages being generated
- From: Matthew Byrd [MSFT]
- Re: Unexplain-able Undeliverable messages being generated
- From: Mike
- Re: Unexplain-able Undeliverable messages being generated
- From: Matthew Byrd [MSFT]
- Re: Unexplain-able Undeliverable messages being generated
- From: Mike
- Re: Unexplain-able Undeliverable messages being generated
- From: Matthew Byrd [MSFT]
- Re: Unexplain-able Undeliverable messages being generated
- From: Mike
- Unexplain-able Undeliverable messages being generated
- Prev by Date: How do you feel about Microsoft's IMF? nt
- Next by Date: Re: NDR's Killing Exchange Server - Very Frustrating!
- Previous by thread: Re: Unexplain-able Undeliverable messages being generated
- Next by thread: Maximum number of Stores on a server
- Index(es):
Relevant Pages
|
