| Author |
Message |
Guest
|
 Posted:
Fri Dec 17, 2004 12:41 pm Post subject:
Exchange 2003: Outbound Blank Sender Emails |
|
|
I have just noticed that I am getting a ton of emails trying to send
outbound that have blank FROM:<> fields going to random addresses.
It almost appears to be a virus of some sort... but I scanned all the
mail servers for viruses and they seem to have come up clean.
Here are a couple examples of what I am talking about... taken right
from my Bridgehead Exchange server log.
216.107.0.178 - OutboundConnectionResponse [17/Dec/2004:01:16:05 -0500]
"- -?220 aragorn.nni.com NO UCE ESMTP SMTP" 0 32
216.107.0.178 - OutboundConnectionCommand [17/Dec/2004:01:16:05 -0500]
"EHLO -?nyfe1.RuderFinn.com SMTP" 0 4
216.107.0.178 - OutboundConnectionResponse [17/Dec/2004:01:16:06 -0500]
"- -?250-aragorn.nni.com SMTP" 0 19
216.107.0.178 - OutboundConnectionCommand [17/Dec/2004:01:16:06 -0500]
"MAIL -?FROM:<> SIZE=21264 SMTP" 0 4
216.107.0.178 - OutboundConnectionResponse [17/Dec/2004:01:16:06 -0500]
"- -?250 Ok SMTP" 0 6
216.107.0.178 - OutboundConnectionCommand [17/Dec/2004:01:16:06 -0500]
"RCPT -?TO:<Cgtbzet@3rddoor.com> SMTP" 0 4
216.107.0.178 - OutboundConnectionResponse [17/Dec/2004:01:16:06 -0500]
"- -?450 <Cgtbzet@3rddoor.com>: Recipient address rejected:
undeliverable address: host 216.107.0.100[216.107.0.100] said: 550
Cgtbzet@3rddoor.com unknown user account (in reply to RCPT TO command)
SMTP" 0 192
216.107.0.178 - OutboundConnectionCommand [17/Dec/2004:01:16:06 -0500]
"RSET - SMTP" 0 4
216.107.0.178 - OutboundConnectionResponse [17/Dec/2004:01:16:06 -0500]
"- -?250 Ok SMTP" 0 6
216.107.0.178 - OutboundConnectionCommand [17/Dec/2004:01:16:06 -0500]
"QUIT - SMTP" 0 4
216.107.0.178 - OutboundConnectionResponse [17/Dec/2004:01:16:06 -0500]
"- -?221 Bye SMTP" 0 7
213.51.128.66 - OutboundConnectionResponse [17/Dec/2004:01:24:27 -0500]
"- -?220-mx7.home.nl ESMTP Fri, 17 Dec 2004 07:21:55 +0100 SMTP" 0 53
213.51.128.66 - OutboundConnectionCommand [17/Dec/2004:01:24:27 -0500]
"EHLO -?nyfe1.RuderFinn.com SMTP" 0 4
213.51.128.66 - OutboundConnectionResponse [17/Dec/2004:01:24:27 -0500]
"- -?250-mx7.home.nl Hello 67.105.233.60.ptr.us.xo.net [67.105.233.60]
SMTP" 0 65
213.51.128.66 - OutboundConnectionCommand [17/Dec/2004:01:24:27 -0500]
"MAIL -?FROM:<> SIZE=2665 SMTP" 0 4
213.51.128.66 - OutboundConnectionResponse [17/Dec/2004:01:24:28 -0500]
"- -?250 OK SMTP" 0 6
213.51.128.66 - OutboundConnectionCommand [17/Dec/2004:01:24:28 -0500]
"RCPT -?TO:<jackzh@home.nl> SMTP" 0 4
213.51.128.66 - OutboundConnectionResponse [17/Dec/2004:01:24:28 -0500]
"- -?550 sender/recipient blocked because of abuse. SMTP" 0 46
213.51.128.66 - OutboundConnectionCommand [17/Dec/2004:01:24:28 -0500]
"RSET - SMTP" 0 4
213.51.128.66 - OutboundConnectionResponse [17/Dec/2004:01:24:28 -0500]
"- -?250 Reset OK SMTP" 0 12
213.51.128.66 - OutboundConnectionCommand [17/Dec/2004:01:24:28 -0500]
"QUIT - SMTP" 0 4
213.51.128.66 - OutboundConnectionResponse [17/Dec/2004:01:24:28 -0500]
"- -?221 mx7.home.nl closing connection SMTP" 0 34
Does anyone know what would cause this? An even better question would
be does anyone know the best way to trace where these requests are
coming from?
Cheers!
|
|
| Back to top |
|
 |
Lanwench [MVP - Exchange]
Guest
|
| Posted:
Fri Dec 17, 2004 8:22 pm Post subject:
Re: Exchange 2003: Outbound Blank Sender Emails |
|
|
djpill@ruderfinn.com wrote:
| Quote: | I have just noticed that I am getting a ton of emails trying to send
outbound that have blank FROM:<> fields going to random addresses.
It almost appears to be a virus of some sort... but I scanned all the
mail servers for viruses and they seem to have come up clean.
|
That's your Exchange server sending NDRs to spammers, or delivery status
notifications....not a virus, not a relay. Normal behavior. If you're
getting a lot of spam, you should look into antispam software/services to
keep the stuff from coming in in the first place.
| Quote: |
Here are a couple examples of what I am talking about... taken right
from my Bridgehead Exchange server log.
snip
Does anyone know what would cause this? An even better question would
be does anyone know the best way to trace where these requests are
coming from?
Cheers! |
|
|
| Back to top |
|
|
Guest
|
| Posted:
Fri Dec 17, 2004 10:59 pm Post subject:
Re: Exchange 2003: Outbound Blank Sender Emails |
|
|
Are you sure? I have never seen this happening before? Is there any
way to block exchange from sending out these emails that have no
sender... or have the FROM:<> sender field?
I tried to add that in Message Delivery properties... and applied the
filter in all my SMTP V servers... but they are still sending.
Also... lets say one of the examples I said was... it was sending out a
blank email from:<> and going ot xyz@n0.pl
How come these emails have a blank sender... and not coming from
postmaster@ruderfinnny.com?
|
|
| Back to top |
|
|
Lanwench [MVP - Exchange]
Guest
|
| Posted:
Fri Dec 17, 2004 11:54 pm Post subject:
Re: Exchange 2003: Outbound Blank Sender Emails |
|
|
djpill@ruderfinn.com wrote:
| Quote: | Are you sure? I have never seen this happening before? Is there any
way to block exchange from sending out these emails that have no
sender... or have the FROM:<> sender field?
|
This is totally normal behavior. <> is a null sender (nobody can reply to
it).
You don't want to stop Exchange from sending NDRs - mail servers are
supposed to send NDRs. If you get a lot of spam, combat it by stopping (most
of) it from coming in in the first place.
| Quote: |
I tried to add that in Message Delivery properties... and applied the
filter in all my SMTP V servers... but they are still sending.
Also... lets say one of the examples I said was... it was sending out
a blank email from:<> and going ot xyz@n0.pl
|
Right. This is an NDR to a spammer.
Because NDRs come from a null sender to prevent replies. |
|
| Back to top |
|
|
Guest
|
| Posted:
Sat Dec 18, 2004 2:01 pm Post subject:
Re: Exchange 2003: Outbound Blank Sender Emails |
|
|
Yeah but the problem with this is... I don't see how these emails are
getting into my system in the first place. Let me get this straight
for a second. Correct me if I am wrong.
I wrote this because I am complaining about seeing email like FROM:<>
going outbound to say ZYX@n0.pl. (just an example).
Going by what you are saying... this is an NDR being sent out to
ZYX@n0.pl because ZYK@n0.pl decided to email my organization...
couldn't contact somebody... and this is the NDR going out? Say they
tried to contact ddd@ruderfinn.com and since there is no such user
ddd... they get the NDR.
My problem with this reasoning is... I already have an anti-spam setup
going that I didn't mention. I have a Computer Associates E-Trust mail
gateway that sits in front of the Exchange server. Its designed to not
necessarily do anti-spam... but everytime it takes an INCOMING email...
it does an LDAP lookup in my directory to make sure the address was
valid.
So in this case... the way its SUPPOSED to work is the address
ZYX@n0.pl tried to email ddd@ruderfinn.com... the CA server should have
NDRed the email right there after doing a failed LDAP lookup for user
DDD. I know LDAP checking is definitely working on the CA server cause
I can telnet in and verify it.
Thats why I thought it was something internal that was causing this....
maybe a virus or a worm. I just don't see how this is possible with
this CA server in front doing LDAP verification. |
|
| Back to top |
|
|
Lanwench [MVP - Exchange]
Guest
|
| Posted:
Sat Dec 18, 2004 10:35 pm Post subject:
Re: Exchange 2003: Outbound Blank Sender Emails |
|
|
djpill@ruderfinn.com wrote:
| Quote: | Yeah but the problem with this is... I don't see how these emails are
getting into my system in the first place. Let me get this straight
for a second. Correct me if I am wrong.
I wrote this because I am complaining about seeing email like FROM:
going outbound to say ZYX@n0.pl. (just an example).
Going by what you are saying... this is an NDR being sent out to
ZYX@n0.pl because ZYK@n0.pl decided to email my organization...
couldn't contact somebody... and this is the NDR going out? Say they
tried to contact ddd@ruderfinn.com and since there is no such user
ddd... they get the NDR.
|
Yes.
| Quote: |
My problem with this reasoning is... I already have an anti-spam setup
going that I didn't mention. I have a Computer Associates E-Trust
mail gateway that sits in front of the Exchange server. Its designed
to not necessarily do anti-spam... but everytime it takes an INCOMING
email... it does an LDAP lookup in my directory to make sure the
address was valid.
|
I'm not familiar with that product but if you're seeing your server send
NDRs, it's because it accepted mail and bounced it. They could be delivery
status notifications, too, but if you're seeing that many of them, it's
probably spam.
| Quote: |
So in this case... the way its SUPPOSED to work is the address
ZYX@n0.pl
|
(probably faked)
| Quote: | tried to email ddd@ruderfinn.com... the CA server should
have NDRed the email right there after doing a failed LDAP lookup for
user DDD. I know LDAP checking is definitely working on the CA
server cause I can telnet in and verify it.
Thats why I thought it was something internal that was causing
this.... maybe a virus or a worm. I just don't see how this is
possible with this CA server in front doing LDAP verification.
|
I'm not sure either unless there's a configuration problem - but also
noticed that your domain's public DNS has some problems:
http://www.dnsreport.com/tools/dnsreport.ch?domain=ruderfinn.com
May not be related, though.
Your primary MX record points at the gateway server, but how are the other
three servers specified as additional MX records configured to send mail to
you? |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in