|
exchange
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
One Exchange user generating massive spam!As mentioned we have a frontend OWA server connected to the backend exchange
server. We have one user who appears to be sending out thousands of emails a day (day 3). ____ 2009-7-8 22:1:12 GMT 172.16.32.240 btboe-exchange1.ourdomain.org - BTBOE-OWA1 172.16.32.233 i***@abapolska.pl 1031 4D13D525F9077E438EA47FEF4548A063522***@btboe-exchange1.brickschools.org 0 0 2139 480 2009-7-6 18:28:19 GMT 0 Version: 6.0.3790.3959 - - jsh***@ourdomain.org - _____ Anyway, I have deleted the ad user account, purged the mail account, and to no avail the mails keep on generating... how do I begin to figure out where these are coming from!?, why just this user? Meanwhile his email account (newly recreated has thousands of NDR emails. Any help is appreciated. Regards. Can you post the NDR? User have AV software installed and up to date on his
computer? -- Show quoteHide quoteJohn Oliver, Jr MCSE, MCT, CCNA Exchange MVP 2009 Microsoft Certified Partner "Rossel1" <Ross***@discussions.microsoft.com> wrote in message news:BAF53669-DE59-47FF-9550-2E739A7E2783@microsoft.com... > As mentioned we have a frontend OWA server connected to the backend > exchange > server. We have one user who appears to be sending out thousands of emails > a > day (day 3). > > ____ > 2009-7-8 22:1:12 > GMT 172.16.32.240 btboe-exchange1.ourdomain.org - BTBOE-OWA1 172.16.32.233 > i***@abapolska.pl 1031 > 4D13D525F9077E438EA47FEF4548A063522***@btboe-exchange1.brickschools.org 0 > 0 2139 480 2009-7-6 > 18:28:19 GMT 0 Version: 6.0.3790.3959 - - jsh***@ourdomain.org - > _____ > > Anyway, I have deleted the ad user account, purged the mail account, and > to > no avail the mails keep on generating... how do I begin to figure out > where > these are coming from!?, why just this user? Meanwhile his email account > (newly recreated has thousands of NDR emails. > > Any help is appreciated. > Regards. This is a message detail from one of the hundreds of emails gathering in the
mailroot\vs1\queue of the owa server ~~~~~~~~~~~~ Received: from btboe-exchange1.mydomain.org ([172.16.32.240]) by btboe-owa1.mydomain.org with Microsoft SMTPSVC(6.0.3790.3959); Tue, 7 Jul 2009 12:09:05 -0400 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C9FF1D.3F96B360" Subject: Loan Offer From Oxygen Loan Firm X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Tue, 7 Jul 2009 12:09:04 -0400 Message-ID: <4D13D525F9077E438EA47FEF4548A063522***@btboe-exchange1.mydomain.org X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Loan Offer From Oxygen Loan Firm Thread-Index: Acn/HT9Y0aqnVUSCRBCdohI57JaIsg== From: "Grl, Jason " <jg***@mydomain.org Bcc: Return-Path: j***@mydomain.ord X-OriginalArrivalTime: 07 Jul 2009 16:09:05.0061 (UTC) FILETIME=[400EB550:01C9FF1D] This is a multi-part message in MIME format. ------_=_NextPart_001_01C9FF1D.3F96B360 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Oxygen Loan Firm Nigeria Plc is offering all kinds of loans to = individuals and companies=20 at an interest rate of 5% and a maximum duration of 10years. This offer = gives you the=20 chance to start a good business, get a good home and payoff your bills. = Interested=20 applicants should contact our loan processing officer; Mr. Mark Edema on = o2lo***@aol.co.uk=20 for more information. Regards, Grhel Jason, Info Dept. Oxygen Loan Firm. All response should be sent directly to: o2lo***@aol.co.uk =20 ~~~~~~~~~~~~~~~~~~~~ The NDR email is below (this is one of 12,750 and growing) ~~~~~~~~~~~~~~~~ Your message did not reach some or all of the intended recipients. Subject: Apply for loan Sent: 7/6/2009 2:19 PM The following recipient(s) could not be reached: viren***@emirates.net.ae on 7/8/2009 5:22 PM The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. <btboe-owa1.mydomain.org #5.1.1 smtp;550 5.1.1 unknown or illegal alias: viren***@emirates.net.ae> vonz***@emirates.net.ae on 7/8/2009 5:22 PM The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. <btboe-owa1.mydomain.org #5.1.1 smtp;550 5.1.1 unknown or illegal alias: vonz***@emirates.net.ae> ~~~~~~~~~~~~~ The teacher reportedly has not been in the building. I called to his department and and found that he shares a computer with others in his department and that the computer was not turned on. Thoughts? Show quoteHide quote "John Oliver, Jr. [MVP]" wrote: > Can you post the NDR? User have AV software installed and up to date on his > computer? > > -- > John Oliver, Jr > MCSE, MCT, CCNA > Exchange MVP 2009 > Microsoft Certified Partner > > > "Rossel1" <Ross***@discussions.microsoft.com> wrote in message > news:BAF53669-DE59-47FF-9550-2E739A7E2783@microsoft.com... > > As mentioned we have a frontend OWA server connected to the backend > > exchange > > server. We have one user who appears to be sending out thousands of emails > > a > > day (day 3). > > > > ____ > > 2009-7-8 22:1:12 > > GMT 172.16.32.240 btboe-exchange1.ourdomain.org - BTBOE-OWA1 172.16.32.233 > > i***@abapolska.pl 1031 > > 4D13D525F9077E438EA47FEF4548A063522***@btboe-exchange1.brickschools.org 0 > > 0 2139 480 2009-7-6 > > 18:28:19 GMT 0 Version: 6.0.3790.3959 - - jsh***@ourdomain.org - > > _____ > > > > Anyway, I have deleted the ad user account, purged the mail account, and > > to > > no avail the mails keep on generating... how do I begin to figure out > > where > > these are coming from!?, why just this user? Meanwhile his email account > > (newly recreated has thousands of NDR emails. > > > > Any help is appreciated. > > Regards. > Do you have Recipient Filtering enabled? Are you screening or filtering
mail before it reaches your Exchange box for spam? Can you confirm through Message Tracking center that the mail is actually originating inside your network? If someone is spoofing your users mail address then your Exchange Queues will fill with NDR's. This is why I am suggesting Recipient Filtering and SMTP Taripitting. Hosted Antispam filtering service would also eliminate this from happening. -- Show quoteHide quoteJohn Oliver, Jr MCSE, MCT, CCNA Exchange MVP 2009 Microsoft Certified Partner "Rossel1" <Ross***@discussions.microsoft.com> wrote in message news:82924F6A-7478-43AF-AB37-97C78F85C122@microsoft.com... > This is a message detail from one of the hundreds of emails gathering in > the > mailroot\vs1\queue of the owa server > > ~~~~~~~~~~~~ > Received: from btboe-exchange1.mydomain.org ([172.16.32.240]) by > btboe-owa1.mydomain.org with Microsoft SMTPSVC(6.0.3790.3959); > Tue, 7 Jul 2009 12:09:05 -0400 > Content-class: urn:content-classes:message > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----_=_NextPart_001_01C9FF1D.3F96B360" > Subject: Loan Offer From Oxygen Loan Firm > X-MimeOLE: Produced By Microsoft Exchange V6.5 > Date: Tue, 7 Jul 2009 12:09:04 -0400 > Message-ID: > <4D13D525F9077E438EA47FEF4548A063522***@btboe-exchange1.mydomain.org > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: Loan Offer From Oxygen Loan Firm > Thread-Index: Acn/HT9Y0aqnVUSCRBCdohI57JaIsg== > From: "Grl, Jason " <jg***@mydomain.org > Bcc: > Return-Path: j***@mydomain.ord > X-OriginalArrivalTime: 07 Jul 2009 16:09:05.0061 (UTC) > FILETIME=[400EB550:01C9FF1D] > > This is a multi-part message in MIME format. > > ------_=_NextPart_001_01C9FF1D.3F96B360 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Oxygen Loan Firm Nigeria Plc is offering all kinds of loans to = > individuals and companies=20 > at an interest rate of 5% and a maximum duration of 10years. This offer = > gives you the=20 > > > chance to start a good business, get a good home and payoff your bills. = > Interested=20 > applicants should contact our loan processing officer; Mr. Mark Edema on = > o2lo***@aol.co.uk=20 > for more information. > Regards, > > Grhel Jason, > Info Dept. > Oxygen Loan Firm. > All response should be sent directly to: o2lo***@aol.co.uk > =20 > > ~~~~~~~~~~~~~~~~~~~~ > > The NDR email is below (this is one of 12,750 and growing) > > ~~~~~~~~~~~~~~~~ > > Your message did not reach some or all of the intended recipients. > > Subject: Apply for loan > Sent: 7/6/2009 2:19 PM > > The following recipient(s) could not be reached: > > viren***@emirates.net.ae on 7/8/2009 5:22 PM > The e-mail account does not exist at the organization this message was > sent to. Check the e-mail address, or contact the recipient directly to > find > out the correct address. > <btboe-owa1.mydomain.org #5.1.1 smtp;550 5.1.1 unknown or illegal alias: > viren***@emirates.net.ae> > > vonz***@emirates.net.ae on 7/8/2009 5:22 PM > The e-mail account does not exist at the organization this message was > sent to. Check the e-mail address, or contact the recipient directly to > find > out the correct address. > <btboe-owa1.mydomain.org #5.1.1 smtp;550 5.1.1 unknown or illegal alias: > vonz***@emirates.net.ae> > > ~~~~~~~~~~~~~ > > The teacher reportedly has not been in the building. I called to his > department and and found that he shares a computer with others in his > department and that the computer was not turned on. > > Thoughts? > > > "John Oliver, Jr. [MVP]" wrote: > >> Can you post the NDR? User have AV software installed and up to date on >> his >> computer? >> >> -- >> John Oliver, Jr >> MCSE, MCT, CCNA >> Exchange MVP 2009 >> Microsoft Certified Partner >> >> >> "Rossel1" <Ross***@discussions.microsoft.com> wrote in message >> news:BAF53669-DE59-47FF-9550-2E739A7E2783@microsoft.com... >> > As mentioned we have a frontend OWA server connected to the backend >> > exchange >> > server. We have one user who appears to be sending out thousands of >> > emails >> > a >> > day (day 3). >> > >> > ____ >> > 2009-7-8 22:1:12 >> > GMT 172.16.32.240 btboe-exchange1.ourdomain.org - BTBOE-OWA1 >> > 172.16.32.233 >> > i***@abapolska.pl 1031 >> > 4D13D525F9077E438EA47FEF4548A063522***@btboe-exchange1.brickschools.org >> > 0 >> > 0 2139 480 2009-7-6 >> > 18:28:19 GMT 0 Version: 6.0.3790.3959 - - jsh***@ourdomain.org - >> > _____ >> > >> > Anyway, I have deleted the ad user account, purged the mail account, >> > and >> > to >> > no avail the mails keep on generating... how do I begin to figure out >> > where >> > these are coming from!?, why just this user? Meanwhile his email >> > account >> > (newly recreated has thousands of NDR emails. >> > >> > Any help is appreciated. >> > Regards. >> 
Other interesting topics
ignoring dots in email address
Exchange 2007 disk space Owa default domain Exchange Server Compromise Attachment Size after security update installation Entirely disable OWA/Port 80 how to change mapi format to smtp format for outbound message Outlook 2007 and Microsoft Exchange 2007 owa setup How to be notified of changes to a shared calendar |
|||||||||||||||||||||||
