Re: Strange email deliveries

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

In news:BB8A7AE1-AA14-4899-BDAB-EF4239D146BB@xxxxxxxxxxxxx,
Workwithcisco <Workwithcisco@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Looks like you confirmed what my suspicions were. I do have ScanMail
setup to delete the entire message and send me(administrator) a
message saying email virus found and deleted.

I personally don't have it do that - I don't want to read all that junk. I'm
just happy ScanMail gets rid of it.

I think these are
coming from the POP3 and bypassing the ScanMail. I disabled POP3 and
only use it when we lose total internet access here like we did
yesterday when the power went out longer than the UPS's could keep
the switches and routers up. The server OTOH stayed up over an hour
on the UPS!

Wowza.

Re the POP3 for backup - you don't absolutely have to do things that way,
you know. You could have a secondary (higher-cost) MX record set up for
someone else's server to do store'n'forward for you - to queue/spool the
mail, automatically retrying delivery to your primary MX record for X days
(usually 5).

I have a pretty good idea where the spoofed emails are happening,
would like to find out who is doing it, but I know where the
information was obtained! Will need to make some changes to how we do
the secondary MX.

Best o' luck.

"Lanwench [MVP - Exchange]" wrote:

In news:4D460112-CC27-4F2D-B405-EAAD230E82F6@xxxxxxxxxxxxx,
Workwithcisco <Workwithcisco@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Recently we have been getting a lot of spam past the Trend Micro
Spam filters, looks like they found new ways to spam! :(

Yes, it's been awful lately.

I myself dont get
them , but a few others in the company do. What I get is some
delivery failure notices with attachments.
here is an attachment;

Small Business Server has removed potentially unsafe e-mail
attachment(s) from this message:
name@xxxxxxxxxx


Because computer viruses are commonly spread through files attached
to e-mail messages, certain types of files will not be delivered to
your mailbox. For more information, contact the person responsible
for your network.

This was a virus. I tend to use ScanMail's attachment blocking
feature rather than the built-in one in SBS. ScanMail (presuming
you're using Trend's suite!) should be configured to delete/drop
messages in which it found viruses, and not just strip out the
attachment and deliver the message.


<virus junk snipped>


Finally here is the last one that is really puzzling me, it is not
from the exchange server, but appears to be from a sendmail server.

RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS
Mail Delivery Subsystem [MAILER-DAEMON@xxxxxxxxxx]

This message was undeliverable due to the following reason(s):

Your message could not be delivered because the destination computer
was not reachable within the allowed queue period. The amount of
time a message is queued before it is returned depends on local
configura- tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within 3 days:
Host 10.100.150.150 is not responding.

The following recipients could not receive this message:
<name@xxxxxxxxxx>

Please reply to postmaster@xxxxxxxxxxxxx if you feel this message to
be in error.

Someone spoofed your address as the sender of a message. It most
likely didn't come from your network at all....viruses spoof
senders, and spammers do, too. You can't do anything about that,
unfortunately.....the innocent get NDRs.




I ran scans on my laptop, the only machine I use to send email from
and it came up clean, port scans did not show anything abnormal, and
when I checked our domain at dnsstuff.com, it came back clean as
well. Is there a way to track these down on the exchange server
itself to find out where they are originating from?

just as an FYI, we have a vmail server with another ISP that has
identical addresses in the event the exchange server goes down, or
offline so we dont loose email. We retrieve them using the POP3
connector. We lost power yesterday and lost the T1, so the vmail
failed over. I re-enabled POP3 to retrieve emails and I think these
are coming in from the vmail server, but I need to make sure.

Not sure whether ScanMail can act properly with mail received via
the POP connector, as it's coming in & before it's being delivered
to mailboxes....I think not.



.

Quantcast