"chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
news:2ED0810E-2B49-4F39-8FF3-265576DD6F88@microsoft.com...
>I have been receiving a lot of system administrator undeliverable reports
>and
> a lot of NDR from external email accounts.
>
> The system admin NDRsare to email addresses that I have not sent email to
> (I
> am the only user on my SMS 2003 server exchange) and the external NDRsshow
> that the emails were sent with from addresses that I dont use. These send
> addresses are seemingly random. I receive these external NDRs as I have a
> catch all for my email account.
>
> I have checked that my SMTP server is not open.
>
> If I stop exchange and collect email without it I do not get any NDRs at
> all. Does this mean that I have a virus that is sending these emails? If
> it
> was someone using spoofing my email account surely I would still get NDRs
> even if I wasnt receiving through exchange?
>
> I have anti-virus on my SBS 2003 server.
>
> I have read other posts on this subject but none of them seem to answer my
> question - why is this happening?
>
> Here are a couple of reports and headers
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail pickup service by poweredge1400.mydomain.local with
> Microsoft SMTPSVC; Sun, 14 May 2006 16:46:05 +0100
> thread-index: AcZ3bYLPV+kdm0SrRVmnEGIbszAxBg==
> Return-Path:
> Cc:
> Delivered-To: ch***@mydomain.com
> X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
> spambackend26.livemail.co.uk
> X-Spam-Level:
> X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
> version=1.5
> Message-ID: <000001c6776d$82e00d60$8c00a8c0@mydomain.local>
> Content-Transfer-Encoding: 7bit
> Date: Sun, 14 May 2006 16:46:05 +0100
> From: "Mail Delivery Subsystem" <MAILER-DAE***@aol.com>
> X-Mailer: Microsoft CDO for Exchange 2000
> To: <f**@mydomain.com>
> MIME-Version: 1.0
> Content-Type: multipart/report;
> report-type=delivery-status;
> boundary="LAA08900.1147621820/rly-xl06.mx.aol.com"
> Subject: Returned mail: User unknown
> Auto-Submitted: auto-generated (failure)
> X-AOL-IP: 172.20.83.55
> X-Original-To: f**@mydomain.com
> Content-Class: urn:content-classes:message
> Importance: normal
> Priority: normal
> X-AntiVirus: checked by Vexira MailArmor
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
> X-OriginalArrivalTime: 14 May 2006 15:46:05.0906 (UTC)
> FILETIME=[82F7DB20:01C6776D]
>
> --LAA08900.1147621820/rly-xl06.mx.aol.com
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
> --LAA08900.1147621820/rly-xl06.mx.aol.com
> Content-Transfer-Encoding: 7bit
> Content-Type: message/delivery-status
>
> --LAA08900.1147621820/rly-xl06.mx.aol.com
> Content-Transfer-Encoding: 7bit
> Content-Type: text/rfc822-headers;
> charset="iso-8859-1"
>
>
> --LAA08900.1147621820/rly-xl06.mx.aol.com--
>
> #####################################################
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from mail pickup service by poweredge1400.mydomain.local with
> Microsoft SMTPSVC; Mon, 15 May 2006 14:15:46 +0100
> thread-index: AcZ4Iaz1kROOrE0PSnqo8cXRNkPIZg==
> Return-Path:
> Cc:
> Delivered-To: ch***@mydomain.com
> X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
> spambackend26.livemail.co.uk
> X-Spam-Level:
> X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
> version=1.5
> Message-ID: <000001c67821$ad192d00$8c00a8c0@mydomain.local>
> Content-Transfer-Encoding: 7bit
> Date: Mon, 15 May 2006 14:15:45 +0100
> From: "Mail Delivery Subsystem" <MAILER-DAE***@express.cites.uiuc.edu>
> X-Mailer: Microsoft CDO for Exchange 2000
> To: <c***@mydomain.com>
> MIME-Version: 1.0
> Content-Type: multipart/report;
> report-type=delivery-status;
> boundary="BYB27129.1147699190/expms1.cites.uiuc.edu"
> Subject: Warning: could not send message for past 12 hours
> Auto-Submitted: auto-generated (warning-timeout)
> X-Original-To: c***@mydomain.com
> Content-Class: urn:content-classes:message
> Importance: normal
> Priority: normal
> X-AntiVirus: checked by Vexira MailArmor
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
> X-OriginalArrivalTime: 15 May 2006 13:15:46.0062 (UTC)
> FILETIME=[AD22A2E0:01C67821]
>
> --BYB27129.1147699190/expms1.cites.uiuc.edu
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
>
> --BYB27129.1147699190/expms1.cites.uiuc.edu
> Content-Transfer-Encoding: 7bit
> Content-Type: message/delivery-status
>
> --BYB27129.1147699190/expms1.cites.uiuc.edu
> Content-Transfer-Encoding: 7bit
> Content-Type: message/rfc822
>
> Return-Path: <c***@mydomain.com>
> Received: from relay7.cso.uiuc.edu (relay7.cso.uiuc.edu [128.174.5.108])
> by expms1.cites.uiuc.edu (MOS 3.4.8-GR)
> with ESMTP id BYA71319;
> Sun, 14 May 2006 20:14:05 -0500 (CDT)
> Received: from 65-100-121-11.albq.qwest.net (65-100-121-11.albq.qwest.net
> [65.100.121.11])
> by relay7.cso.uiuc.edu (8.13.6/8.13.6) with SMTP id k4F1DxO1005567
> for <jk***@uiuc.edu>; Sun, 14 May 2006 20:14:00 -0500 (CDT)
> Received: from [65.100.104.143] (helo=rzgj)
> by 65-100-121-11.albq.qwest.net with smtp (Exim 4.43)
> id 1FfRgq-0005Ll-2W; Sun, 14 May 2006 19:16:04 -0600
> Message-ID: <001101c677bc$d63963e5$8f686441@rzgj>
> From: "Amabel Sinclair" <c***@mydomain.com>
> To: <jk***@uiuc.edu>
> Subject: basics anarchy
> Date: Sun, 14 May 2006 19:07:17 -0600
> MIME-Version: 1.0
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="----=_NextPart_000_000D_01C6778A.8B9EF361"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1441
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> X-Spam-Score: 98
> X-Spam-Details: rule=tag_spam policy=tag score=98 mlx=98 adultscore=4
> adjust=0 engine=2.5.0-06042601 definitions=3.0.0-06051419
> X-Spam-Flag: YES
> X-Spam-OrigSender: c***@mydomain.com
>
>
> --BYB27129.1147699190/expms1.cites.uiuc.edu-
>
>

"John Oliver, Jr. [MVP]" wrote:

> Its most likely Spammers that are performing dictionary attacks on your
> domain.  I have two suggestions to help curb this,
>
> Enable Connection Filtering,
> http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/4aa4b87f-ff18-4667-89f3-1791cfc0f396.mspx?mfr=true
>
> Enable Recipient Filtering with SMTP Tarpit,
> http://www.amset.info/exchange/filter-unknown.asp
> http://support.microsoft.com/?kbid=842851
>
> --
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2006
> Microsoft Certified Partner
>
> "chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
> news:2ED0810E-2B49-4F39-8FF3-265576DD6F88@microsoft.com...
> >I have been receiving a lot of system administrator undeliverable reports
> >and
> > a lot of NDR from external email accounts.
> >
> > The system admin NDRsare to email addresses that I have not sent email to
> > (I
> > am the only user on my SMS 2003 server exchange) and the external NDRsshow
> > that the emails were sent with from addresses that I dont use. These send
> > addresses are seemingly random. I receive these external NDRs as I have a
> > catch all for my email account.
> >
> > I have checked that my SMTP server is not open.
> >
> > If I stop exchange and collect email without it I do not get any NDRs at
> > all. Does this mean that I have a virus that is sending these emails? If
> > it
> > was someone using spoofing my email account surely I would still get NDRs
> > even if I wasnt receiving through exchange?
> >
> > I have anti-virus on my SBS 2003 server.
> >
> > I have read other posts on this subject but none of them seem to answer my
> > question - why is this happening?
> >
> > Here are a couple of reports and headers
> >
> > Microsoft Mail Internet Headers Version 2.0
> > Received: from mail pickup service by poweredge1400.mydomain.local with
> > Microsoft SMTPSVC; Sun, 14 May 2006 16:46:05 +0100
> > thread-index: AcZ3bYLPV+kdm0SrRVmnEGIbszAxBg==
> > Return-Path:
> > Cc:
> > Delivered-To: ch***@mydomain.com
> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
> > spambackend26.livemail.co.uk
> > X-Spam-Level:
> > X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
> > version=1.5
> > Message-ID: <000001c6776d$82e00d60$8c00a8c0@mydomain.local>
> > Content-Transfer-Encoding: 7bit
> > Date: Sun, 14 May 2006 16:46:05 +0100
> > From: "Mail Delivery Subsystem" <MAILER-DAE***@aol.com>
> > X-Mailer: Microsoft CDO for Exchange 2000
> > To: <f**@mydomain.com>
> > MIME-Version: 1.0
> > Content-Type: multipart/report;
> > report-type=delivery-status;
> > boundary="LAA08900.1147621820/rly-xl06.mx.aol.com"
> > Subject: Returned mail: User unknown
> > Auto-Submitted: auto-generated (failure)
> > X-AOL-IP: 172.20.83.55
> > X-Original-To: f**@mydomain.com
> > Content-Class: urn:content-classes:message
> > Importance: normal
> > Priority: normal
> > X-AntiVirus: checked by Vexira MailArmor
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
> > X-OriginalArrivalTime: 14 May 2006 15:46:05.0906 (UTC)
> > FILETIME=[82F7DB20:01C6776D]
> >
> > --LAA08900.1147621820/rly-xl06.mx.aol.com
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> >
> > --LAA08900.1147621820/rly-xl06.mx.aol.com
> > Content-Transfer-Encoding: 7bit
> > Content-Type: message/delivery-status
> >
> > --LAA08900.1147621820/rly-xl06.mx.aol.com
> > Content-Transfer-Encoding: 7bit
> > Content-Type: text/rfc822-headers;
> > charset="iso-8859-1"
> >
> >
> > --LAA08900.1147621820/rly-xl06.mx.aol.com--
> >
> > #####################################################
> >
> > Microsoft Mail Internet Headers Version 2.0
> > Received: from mail pickup service by poweredge1400.mydomain.local with
> > Microsoft SMTPSVC; Mon, 15 May 2006 14:15:46 +0100
> > thread-index: AcZ4Iaz1kROOrE0PSnqo8cXRNkPIZg==
> > Return-Path:
> > Cc:
> > Delivered-To: ch***@mydomain.com
> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
> > spambackend26.livemail.co.uk
> > X-Spam-Level:
> > X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
> > version=1.5
> > Message-ID: <000001c67821$ad192d00$8c00a8c0@mydomain.local>
> > Content-Transfer-Encoding: 7bit
> > Date: Mon, 15 May 2006 14:15:45 +0100
> > From: "Mail Delivery Subsystem" <MAILER-DAE***@express.cites.uiuc.edu>
> > X-Mailer: Microsoft CDO for Exchange 2000
> > To: <c***@mydomain.com>
> > MIME-Version: 1.0
> > Content-Type: multipart/report;
> > report-type=delivery-status;
> > boundary="BYB27129.1147699190/expms1.cites.uiuc.edu"
> > Subject: Warning: could not send message for past 12 hours
> > Auto-Submitted: auto-generated (warning-timeout)
> > X-Original-To: c***@mydomain.com
> > Content-Class: urn:content-classes:message
> > Importance: normal
> > Priority: normal
> > X-AntiVirus: checked by Vexira MailArmor
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
> > X-OriginalArrivalTime: 15 May 2006 13:15:46.0062 (UTC)
> > FILETIME=[AD22A2E0:01C67821]
> >
> > --BYB27129.1147699190/expms1.cites.uiuc.edu
> > Content-Type: text/plain;
> > charset="iso-8859-1"
> > Content-Transfer-Encoding: 7bit
> >
> > --BYB27129.1147699190/expms1.cites.uiuc.edu
> > Content-Transfer-Encoding: 7bit
> > Content-Type: message/delivery-status
> >
> > --BYB27129.1147699190/expms1.cites.uiuc.edu
> > Content-Transfer-Encoding: 7bit
> > Content-Type: message/rfc822
> >
> > Return-Path: <c***@mydomain.com>
> > Received: from relay7.cso.uiuc.edu (relay7.cso.uiuc.edu [128.174.5.108])
> > by expms1.cites.uiuc.edu (MOS 3.4.8-GR)
> > with ESMTP id BYA71319;
> > Sun, 14 May 2006 20:14:05 -0500 (CDT)
> > Received: from 65-100-121-11.albq.qwest.net (65-100-121-11.albq.qwest.net
> > [65.100.121.11])
> > by relay7.cso.uiuc.edu (8.13.6/8.13.6) with SMTP id k4F1DxO1005567
> > for <jk***@uiuc.edu>; Sun, 14 May 2006 20:14:00 -0500 (CDT)
> > Received: from [65.100.104.143] (helo=rzgj)
> > by 65-100-121-11.albq.qwest.net with smtp (Exim 4.43)
> > id 1FfRgq-0005Ll-2W; Sun, 14 May 2006 19:16:04 -0600
> > Message-ID: <001101c677bc$d63963e5$8f686441@rzgj>
> > From: "Amabel Sinclair" <c***@mydomain.com>
> > To: <jk***@uiuc.edu>
> > Subject: basics anarchy
> > Date: Sun, 14 May 2006 19:07:17 -0600
> > MIME-Version: 1.0
> > Content-Type: multipart/related;
> > type="multipart/alternative";
> > boundary="----=_NextPart_000_000D_01C6778A.8B9EF361"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2800.1441
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> > X-Spam-Score: 98
> > X-Spam-Details: rule=tag_spam policy=tag score=98 mlx=98 adultscore=4
> > adjust=0 engine=2.5.0-06042601 definitions=3.0.0-06051419
> > X-Spam-Flag: YES
> > X-Spam-OrigSender: c***@mydomain.com
> >
> >
> > --BYB27129.1147699190/expms1.cites.uiuc.edu-
> >
> >
>
>
>

"chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
news:13CE72F1-B4F4-41FC-91D9-BD1539F13292@microsoft.com...
> Thanks for your suggestions John. I will read through both the links you
> provided.
>
> Can you explain to me how spammers performing dictionary attacks on my
> domain show up as NDRs when I use Exchange to send and receive my email
> but
> not when I collect my email via outlook?
>
> Regards Chris
>
> "John Oliver, Jr. [MVP]" wrote:
>
>> Its most likely Spammers that are performing dictionary attacks on your
>> domain.  I have two suggestions to help curb this,
>>
>> Enable Connection Filtering,
>> http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/4aa4b87f-ff18-4667-89f3-1791cfc0f396.mspx?mfr=true
>>
>> Enable Recipient Filtering with SMTP Tarpit,
>> http://www.amset.info/exchange/filter-unknown.asp
>> http://support.microsoft.com/?kbid=842851
>>
>> --
>> John Oliver, Jr
>> MCSE, MCT, CCNA
>> Exchange MVP 2006
>> Microsoft Certified Partner
>>
>> "chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
>> news:2ED0810E-2B49-4F39-8FF3-265576DD6F88@microsoft.com...
>> >I have been receiving a lot of system administrator undeliverable
>> >reports
>> >and
>> > a lot of NDR from external email accounts.
>> >
>> > The system admin NDRsare to email addresses that I have not sent email
>> > to
>> > (I
>> > am the only user on my SMS 2003 server exchange) and the external
>> > NDRsshow
>> > that the emails were sent with from addresses that I dont use. These
>> > send
>> > addresses are seemingly random. I receive these external NDRs as I have
>> > a
>> > catch all for my email account.
>> >
>> > I have checked that my SMTP server is not open.
>> >
>> > If I stop exchange and collect email without it I do not get any NDRs
>> > at
>> > all. Does this mean that I have a virus that is sending these emails?
>> > If
>> > it
>> > was someone using spoofing my email account surely I would still get
>> > NDRs
>> > even if I wasnt receiving through exchange?
>> >
>> > I have anti-virus on my SBS 2003 server.
>> >
>> > I have read other posts on this subject but none of them seem to answer
>> > my
>> > question - why is this happening?
>> >
>> > Here are a couple of reports and headers
>> >
>> > Microsoft Mail Internet Headers Version 2.0
>> > Received: from mail pickup service by poweredge1400.mydomain.local with
>> > Microsoft SMTPSVC; Sun, 14 May 2006 16:46:05 +0100
>> > thread-index: AcZ3bYLPV+kdm0SrRVmnEGIbszAxBg==
>> > Return-Path:
>> > Cc:
>> > Delivered-To: ch***@mydomain.com
>> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
>> > spambackend26.livemail.co.uk
>> > X-Spam-Level:
>> > X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
>> > version=1.5
>> > Message-ID: <000001c6776d$82e00d60$8c00a8c0@mydomain.local>
>> > Content-Transfer-Encoding: 7bit
>> > Date: Sun, 14 May 2006 16:46:05 +0100
>> > From: "Mail Delivery Subsystem" <MAILER-DAE***@aol.com>
>> > X-Mailer: Microsoft CDO for Exchange 2000
>> > To: <f**@mydomain.com>
>> > MIME-Version: 1.0
>> > Content-Type: multipart/report;
>> > report-type=delivery-status;
>> > boundary="LAA08900.1147621820/rly-xl06.mx.aol.com"
>> > Subject: Returned mail: User unknown
>> > Auto-Submitted: auto-generated (failure)
>> > X-AOL-IP: 172.20.83.55
>> > X-Original-To: f**@mydomain.com
>> > Content-Class: urn:content-classes:message
>> > Importance: normal
>> > Priority: normal
>> > X-AntiVirus: checked by Vexira MailArmor
>> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
>> > X-OriginalArrivalTime: 14 May 2006 15:46:05.0906 (UTC)
>> > FILETIME=[82F7DB20:01C6776D]
>> >
>> > --LAA08900.1147621820/rly-xl06.mx.aol.com
>> > Content-Type: text/plain;
>> > charset="iso-8859-1"
>> > Content-Transfer-Encoding: 7bit
>> >
>> > --LAA08900.1147621820/rly-xl06.mx.aol.com
>> > Content-Transfer-Encoding: 7bit
>> > Content-Type: message/delivery-status
>> >
>> > --LAA08900.1147621820/rly-xl06.mx.aol.com
>> > Content-Transfer-Encoding: 7bit
>> > Content-Type: text/rfc822-headers;
>> > charset="iso-8859-1"
>> >
>> >
>> > --LAA08900.1147621820/rly-xl06.mx.aol.com--
>> >
>> > #####################################################
>> >
>> > Microsoft Mail Internet Headers Version 2.0
>> > Received: from mail pickup service by poweredge1400.mydomain.local with
>> > Microsoft SMTPSVC; Mon, 15 May 2006 14:15:46 +0100
>> > thread-index: AcZ4Iaz1kROOrE0PSnqo8cXRNkPIZg==
>> > Return-Path:
>> > Cc:
>> > Delivered-To: ch***@mydomain.com
>> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
>> > spambackend26.livemail.co.uk
>> > X-Spam-Level:
>> > X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
>> > version=1.5
>> > Message-ID: <000001c67821$ad192d00$8c00a8c0@mydomain.local>
>> > Content-Transfer-Encoding: 7bit
>> > Date: Mon, 15 May 2006 14:15:45 +0100
>> > From: "Mail Delivery Subsystem" <MAILER-DAE***@express.cites.uiuc.edu>
>> > X-Mailer: Microsoft CDO for Exchange 2000
>> > To: <c***@mydomain.com>
>> > MIME-Version: 1.0
>> > Content-Type: multipart/report;
>> > report-type=delivery-status;
>> > boundary="BYB27129.1147699190/expms1.cites.uiuc.edu"
>> > Subject: Warning: could not send message for past 12 hours
>> > Auto-Submitted: auto-generated (warning-timeout)
>> > X-Original-To: c***@mydomain.com
>> > Content-Class: urn:content-classes:message
>> > Importance: normal
>> > Priority: normal
>> > X-AntiVirus: checked by Vexira MailArmor
>> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
>> > X-OriginalArrivalTime: 15 May 2006 13:15:46.0062 (UTC)
>> > FILETIME=[AD22A2E0:01C67821]
>> >
>> > --BYB27129.1147699190/expms1.cites.uiuc.edu
>> > Content-Type: text/plain;
>> > charset="iso-8859-1"
>> > Content-Transfer-Encoding: 7bit
>> >
>> > --BYB27129.1147699190/expms1.cites.uiuc.edu
>> > Content-Transfer-Encoding: 7bit
>> > Content-Type: message/delivery-status
>> >
>> > --BYB27129.1147699190/expms1.cites.uiuc.edu
>> > Content-Transfer-Encoding: 7bit
>> > Content-Type: message/rfc822
>> >
>> > Return-Path: <c***@mydomain.com>
>> > Received: from relay7.cso.uiuc.edu (relay7.cso.uiuc.edu
>> > [128.174.5.108])
>> > by expms1.cites.uiuc.edu (MOS 3.4.8-GR)
>> > with ESMTP id BYA71319;
>> > Sun, 14 May 2006 20:14:05 -0500 (CDT)
>> > Received: from 65-100-121-11.albq.qwest.net
>> > (65-100-121-11.albq.qwest.net
>> > [65.100.121.11])
>> > by relay7.cso.uiuc.edu (8.13.6/8.13.6) with SMTP id k4F1DxO1005567
>> > for <jk***@uiuc.edu>; Sun, 14 May 2006 20:14:00 -0500 (CDT)
>> > Received: from [65.100.104.143] (helo=rzgj)
>> > by 65-100-121-11.albq.qwest.net with smtp (Exim 4.43)
>> > id 1FfRgq-0005Ll-2W; Sun, 14 May 2006 19:16:04 -0600
>> > Message-ID: <001101c677bc$d63963e5$8f686441@rzgj>
>> > From: "Amabel Sinclair" <c***@mydomain.com>
>> > To: <jk***@uiuc.edu>
>> > Subject: basics anarchy
>> > Date: Sun, 14 May 2006 19:07:17 -0600
>> > MIME-Version: 1.0
>> > Content-Type: multipart/related;
>> > type="multipart/alternative";
>> > boundary="----=_NextPart_000_000D_01C6778A.8B9EF361"
>> > X-Priority: 3
>> > X-MSMail-Priority: Normal
>> > X-Mailer: Microsoft Outlook Express 6.00.2800.1441
>> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> > X-Spam-Score: 98
>> > X-Spam-Details: rule=tag_spam policy=tag score=98 mlx=98 adultscore=4
>> > adjust=0 engine=2.5.0-06042601 definitions=3.0.0-06051419
>> > X-Spam-Flag: YES
>> > X-Spam-OrigSender: c***@mydomain.com
>> >
>> >
>> > --BYB27129.1147699190/expms1.cites.uiuc.edu-
>> >
>> >
>>
>>
>>

"John Oliver, Jr. [MVP]" wrote:

> Seems your ISP is filtering your domain for Spam, -Spam-Checker-Version:
> Matrix Spam Checker 1.5 (2) on spambackend26.livemail.co.uk
>
> The first header which states this email was sent to AOL user which does not
> exist from user f**@yourdomain.com.   The second email was sent from
> c***@yourdomain.com to jk***@uiuc.edu.
>
> Are these legit addresses on your SBS domain?
>
> --
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2006
> Microsoft Certified Partner
> "chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
> news:13CE72F1-B4F4-41FC-91D9-BD1539F13292@microsoft.com...
> > Thanks for your suggestions John. I will read through both the links you
> > provided.
> >
> > Can you explain to me how spammers performing dictionary attacks on my
> > domain show up as NDRs when I use Exchange to send and receive my email
> > but
> > not when I collect my email via outlook?
> >
> > Regards Chris
> >
> > "John Oliver, Jr. [MVP]" wrote:
> >
> >> Its most likely Spammers that are performing dictionary attacks on your
> >> domain.  I have two suggestions to help curb this,
> >>
> >> Enable Connection Filtering,
> >> http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/4aa4b87f-ff18-4667-89f3-1791cfc0f396.mspx?mfr=true
> >>
> >> Enable Recipient Filtering with SMTP Tarpit,
> >> http://www.amset.info/exchange/filter-unknown.asp
> >> http://support.microsoft.com/?kbid=842851
> >>
> >> --
> >> John Oliver, Jr
> >> MCSE, MCT, CCNA
> >> Exchange MVP 2006
> >> Microsoft Certified Partner
> >>
> >> "chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
> >> news:2ED0810E-2B49-4F39-8FF3-265576DD6F88@microsoft.com...
> >> >I have been receiving a lot of system administrator undeliverable
> >> >reports
> >> >and
> >> > a lot of NDR from external email accounts.
> >> >
> >> > The system admin NDRsare to email addresses that I have not sent email
> >> > to
> >> > (I
> >> > am the only user on my SMS 2003 server exchange) and the external
> >> > NDRsshow
> >> > that the emails were sent with from addresses that I dont use. These
> >> > send
> >> > addresses are seemingly random. I receive these external NDRs as I have
> >> > a
> >> > catch all for my email account.
> >> >
> >> > I have checked that my SMTP server is not open.
> >> >
> >> > If I stop exchange and collect email without it I do not get any NDRs
> >> > at
> >> > all. Does this mean that I have a virus that is sending these emails?
> >> > If
> >> > it
> >> > was someone using spoofing my email account surely I would still get
> >> > NDRs
> >> > even if I wasnt receiving through exchange?
> >> >
> >> > I have anti-virus on my SBS 2003 server.
> >> >
> >> > I have read other posts on this subject but none of them seem to answer
> >> > my
> >> > question - why is this happening?
> >> >
> >> > Here are a couple of reports and headers
> >> >
> >> > Microsoft Mail Internet Headers Version 2.0
> >> > Received: from mail pickup service by poweredge1400.mydomain.local with
> >> > Microsoft SMTPSVC; Sun, 14 May 2006 16:46:05 +0100
> >> > thread-index: AcZ3bYLPV+kdm0SrRVmnEGIbszAxBg==
> >> > Return-Path:
> >> > Cc:
> >> > Delivered-To: ch***@mydomain.com
> >> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
> >> > spambackend26.livemail.co.uk
> >> > X-Spam-Level:
> >> > X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
> >> > version=1.5
> >> > Message-ID: <000001c6776d$82e00d60$8c00a8c0@mydomain.local>
> >> > Content-Transfer-Encoding: 7bit
> >> > Date: Sun, 14 May 2006 16:46:05 +0100
> >> > From: "Mail Delivery Subsystem" <MAILER-DAE***@aol.com>
> >> > X-Mailer: Microsoft CDO for Exchange 2000
> >> > To: <f**@mydomain.com>
> >> > MIME-Version: 1.0
> >> > Content-Type: multipart/report;
> >> > report-type=delivery-status;
> >> > boundary="LAA08900.1147621820/rly-xl06.mx.aol.com"
> >> > Subject: Returned mail: User unknown
> >> > Auto-Submitted: auto-generated (failure)
> >> > X-AOL-IP: 172.20.83.55
> >> > X-Original-To: f**@mydomain.com
> >> > Content-Class: urn:content-classes:message
> >> > Importance: normal
> >> > Priority: normal
> >> > X-AntiVirus: checked by Vexira MailArmor
> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
> >> > X-OriginalArrivalTime: 14 May 2006 15:46:05.0906 (UTC)
> >> > FILETIME=[82F7DB20:01C6776D]
> >> >
> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com
> >> > Content-Type: text/plain;
> >> > charset="iso-8859-1"
> >> > Content-Transfer-Encoding: 7bit
> >> >
> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com
> >> > Content-Transfer-Encoding: 7bit
> >> > Content-Type: message/delivery-status
> >> >
> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com
> >> > Content-Transfer-Encoding: 7bit
> >> > Content-Type: text/rfc822-headers;
> >> > charset="iso-8859-1"
> >> >
> >> >
> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com--
> >> >
> >> > #####################################################
> >> >
> >> > Microsoft Mail Internet Headers Version 2.0
> >> > Received: from mail pickup service by poweredge1400.mydomain.local with
> >> > Microsoft SMTPSVC; Mon, 15 May 2006 14:15:46 +0100
> >> > thread-index: AcZ4Iaz1kROOrE0PSnqo8cXRNkPIZg==
> >> > Return-Path:
> >> > Cc:
> >> > Delivered-To: ch***@mydomain.com
> >> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
> >> > spambackend26.livemail.co.uk
> >> > X-Spam-Level:
> >> > X-Spam-Status: No, score=0.0 required=1.0 tests=none autolearn=disabled
> >> > version=1.5
> >> > Message-ID: <000001c67821$ad192d00$8c00a8c0@mydomain.local>
> >> > Content-Transfer-Encoding: 7bit
> >> > Date: Mon, 15 May 2006 14:15:45 +0100
> >> > From: "Mail Delivery Subsystem" <MAILER-DAE***@express.cites.uiuc.edu>
> >> > X-Mailer: Microsoft CDO for Exchange 2000
> >> > To: <c***@mydomain.com>
> >> > MIME-Version: 1.0
> >> > Content-Type: multipart/report;
> >> > report-type=delivery-status;
> >> > boundary="BYB27129.1147699190/expms1.cites.uiuc.edu"
> >> > Subject: Warning: could not send message for past 12 hours
> >> > Auto-Submitted: auto-generated (warning-timeout)
> >> > X-Original-To: c***@mydomain.com
> >> > Content-Class: urn:content-classes:message
> >> > Importance: normal
> >> > Priority: normal
> >> > X-AntiVirus: checked by Vexira MailArmor
> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
> >> > X-OriginalArrivalTime: 15 May 2006 13:15:46.0062 (UTC)
> >> > FILETIME=[AD22A2E0:01C67821]
> >> >
> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu
> >> > Content-Type: text/plain;
> >> > charset="iso-8859-1"
> >> > Content-Transfer-Encoding: 7bit
> >> >
> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu
> >> > Content-Transfer-Encoding: 7bit
> >> > Content-Type: message/delivery-status
> >> >
> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu
> >> > Content-Transfer-Encoding: 7bit
> >> > Content-Type: message/rfc822
> >> >
> >> > Return-Path: <c***@mydomain.com>
> >> > Received: from relay7.cso.uiuc.edu (relay7.cso.uiuc.edu
> >> > [128.174.5.108])
> >> > by expms1.cites.uiuc.edu (MOS 3.4.8-GR)
> >> > with ESMTP id BYA71319;
> >> > Sun, 14 May 2006 20:14:05 -0500 (CDT)
> >> > Received: from 65-100-121-11.albq.qwest.net
> >> > (65-100-121-11.albq.qwest.net
> >> > [65.100.121.11])
> >> > by relay7.cso.uiuc.edu (8.13.6/8.13.6) with SMTP id k4F1DxO1005567
> >> > for <jk***@uiuc.edu>; Sun, 14 May 2006 20:14:00 -0500 (CDT)
> >> > Received: from [65.100.104.143] (helo=rzgj)
> >> > by 65-100-121-11.albq.qwest.net with smtp (Exim 4.43)
> >> > id 1FfRgq-0005Ll-2W; Sun, 14 May 2006 19:16:04 -0600
> >> > Message-ID: <001101c677bc$d63963e5$8f686441@rzgj>
> >> > From: "Amabel Sinclair" <c***@mydomain.com>
> >> > To: <jk***@uiuc.edu>
> >> > Subject: basics anarchy
> >> > Date: Sun, 14 May 2006 19:07:17 -0600
> >> > MIME-Version: 1.0
> >> > Content-Type: multipart/related;
> >> > type="multipart/alternative";
> >> > boundary="----=_NextPart_000_000D_01C6778A.8B9EF361"
> >> > X-Priority: 3
> >> > X-MSMail-Priority: Normal
> >> > X-Mailer: Microsoft Outlook Express 6.00.2800.1441
> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> >> > X-Spam-Score: 98
> >> > X-Spam-Details: rule=tag_spam policy=tag score=98 mlx=98 adultscore=4
> >> > adjust=0 engine=2.5.0-06042601 definitions=3.0.0-06051419
> >> > X-Spam-Flag: YES
> >> > X-Spam-OrigSender: c***@mydomain.com
> >> >
> >> >
> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu-
> >> >
> >> >
> >>
> >>
> >>
>
>
>

"chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
news:25152F94-82E3-46E0-A6A2-7D2B6B48E673@microsoft.com...
> No none of the email addresses exist on my domain that have been returned.
>
> "John Oliver, Jr. [MVP]" wrote:
>
>> Seems your ISP is filtering your domain for Spam, -Spam-Checker-Version:
>> Matrix Spam Checker 1.5 (2) on spambackend26.livemail.co.uk
>>
>> The first header which states this email was sent to AOL user which does
>> not
>> exist from user f**@yourdomain.com.   The second email was sent from
>> c***@yourdomain.com to jk***@uiuc.edu.
>>
>> Are these legit addresses on your SBS domain?
>>
>> --
>> John Oliver, Jr
>> MCSE, MCT, CCNA
>> Exchange MVP 2006
>> Microsoft Certified Partner
>> "chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in message
>> news:13CE72F1-B4F4-41FC-91D9-BD1539F13292@microsoft.com...
>> > Thanks for your suggestions John. I will read through both the links
>> > you
>> > provided.
>> >
>> > Can you explain to me how spammers performing dictionary attacks on my
>> > domain show up as NDRs when I use Exchange to send and receive my email
>> > but
>> > not when I collect my email via outlook?
>> >
>> > Regards Chris
>> >
>> > "John Oliver, Jr. [MVP]" wrote:
>> >
>> >> Its most likely Spammers that are performing dictionary attacks on
>> >> your
>> >> domain.  I have two suggestions to help curb this,
>> >>
>> >> Enable Connection Filtering,
>> >> http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3TransnRouting/4aa4b87f-ff18-4667-89f3-1791cfc0f396.mspx?mfr=true
>> >>
>> >> Enable Recipient Filtering with SMTP Tarpit,
>> >> http://www.amset.info/exchange/filter-unknown.asp
>> >> http://support.microsoft.com/?kbid=842851
>> >>
>> >> --
>> >> John Oliver, Jr
>> >> MCSE, MCT, CCNA
>> >> Exchange MVP 2006
>> >> Microsoft Certified Partner
>> >>
>> >> "chris aldrich" <chrisaldr***@discussions.microsoft.com> wrote in
>> >> message
>> >> news:2ED0810E-2B49-4F39-8FF3-265576DD6F88@microsoft.com...
>> >> >I have been receiving a lot of system administrator undeliverable
>> >> >reports
>> >> >and
>> >> > a lot of NDR from external email accounts.
>> >> >
>> >> > The system admin NDRsare to email addresses that I have not sent
>> >> > email
>> >> > to
>> >> > (I
>> >> > am the only user on my SMS 2003 server exchange) and the external
>> >> > NDRsshow
>> >> > that the emails were sent with from addresses that I dont use. These
>> >> > send
>> >> > addresses are seemingly random. I receive these external NDRs as I
>> >> > have
>> >> > a
>> >> > catch all for my email account.
>> >> >
>> >> > I have checked that my SMTP server is not open.
>> >> >
>> >> > If I stop exchange and collect email without it I do not get any
>> >> > NDRs
>> >> > at
>> >> > all. Does this mean that I have a virus that is sending these
>> >> > emails?
>> >> > If
>> >> > it
>> >> > was someone using spoofing my email account surely I would still get
>> >> > NDRs
>> >> > even if I wasnt receiving through exchange?
>> >> >
>> >> > I have anti-virus on my SBS 2003 server.
>> >> >
>> >> > I have read other posts on this subject but none of them seem to
>> >> > answer
>> >> > my
>> >> > question - why is this happening?
>> >> >
>> >> > Here are a couple of reports and headers
>> >> >
>> >> > Microsoft Mail Internet Headers Version 2.0
>> >> > Received: from mail pickup service by poweredge1400.mydomain.local
>> >> > with
>> >> > Microsoft SMTPSVC; Sun, 14 May 2006 16:46:05 +0100
>> >> > thread-index: AcZ3bYLPV+kdm0SrRVmnEGIbszAxBg==
>> >> > Return-Path:
>> >> > Cc:
>> >> > Delivered-To: ch***@mydomain.com
>> >> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
>> >> > spambackend26.livemail.co.uk
>> >> > X-Spam-Level:
>> >> > X-Spam-Status: No, score=0.0 required=1.0 tests=none
>> >> > autolearn=disabled
>> >> > version=1.5
>> >> > Message-ID: <000001c6776d$82e00d60$8c00a8c0@mydomain.local>
>> >> > Content-Transfer-Encoding: 7bit
>> >> > Date: Sun, 14 May 2006 16:46:05 +0100
>> >> > From: "Mail Delivery Subsystem" <MAILER-DAE***@aol.com>
>> >> > X-Mailer: Microsoft CDO for Exchange 2000
>> >> > To: <f**@mydomain.com>
>> >> > MIME-Version: 1.0
>> >> > Content-Type: multipart/report;
>> >> > report-type=delivery-status;
>> >> > boundary="LAA08900.1147621820/rly-xl06.mx.aol.com"
>> >> > Subject: Returned mail: User unknown
>> >> > Auto-Submitted: auto-generated (failure)
>> >> > X-AOL-IP: 172.20.83.55
>> >> > X-Original-To: f**@mydomain.com
>> >> > Content-Class: urn:content-classes:message
>> >> > Importance: normal
>> >> > Priority: normal
>> >> > X-AntiVirus: checked by Vexira MailArmor
>> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
>> >> > X-OriginalArrivalTime: 14 May 2006 15:46:05.0906 (UTC)
>> >> > FILETIME=[82F7DB20:01C6776D]
>> >> >
>> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com
>> >> > Content-Type: text/plain;
>> >> > charset="iso-8859-1"
>> >> > Content-Transfer-Encoding: 7bit
>> >> >
>> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com
>> >> > Content-Transfer-Encoding: 7bit
>> >> > Content-Type: message/delivery-status
>> >> >
>> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com
>> >> > Content-Transfer-Encoding: 7bit
>> >> > Content-Type: text/rfc822-headers;
>> >> > charset="iso-8859-1"
>> >> >
>> >> >
>> >> > --LAA08900.1147621820/rly-xl06.mx.aol.com--
>> >> >
>> >> > #####################################################
>> >> >
>> >> > Microsoft Mail Internet Headers Version 2.0
>> >> > Received: from mail pickup service by poweredge1400.mydomain.local
>> >> > with
>> >> > Microsoft SMTPSVC; Mon, 15 May 2006 14:15:46 +0100
>> >> > thread-index: AcZ4Iaz1kROOrE0PSnqo8cXRNkPIZg==
>> >> > Return-Path:
>> >> > Cc:
>> >> > Delivered-To: ch***@mydomain.com
>> >> > X-Spam-Checker-Version: Matrix Spam Checker 1.5 (2) on
>> >> > spambackend26.livemail.co.uk
>> >> > X-Spam-Level:
>> >> > X-Spam-Status: No, score=0.0 required=1.0 tests=none
>> >> > autolearn=disabled
>> >> > version=1.5
>> >> > Message-ID: <000001c67821$ad192d00$8c00a8c0@mydomain.local>
>> >> > Content-Transfer-Encoding: 7bit
>> >> > Date: Mon, 15 May 2006 14:15:45 +0100
>> >> > From: "Mail Delivery Subsystem"
>> >> > <MAILER-DAE***@express.cites.uiuc.edu>
>> >> > X-Mailer: Microsoft CDO for Exchange 2000
>> >> > To: <c***@mydomain.com>
>> >> > MIME-Version: 1.0
>> >> > Content-Type: multipart/report;
>> >> > report-type=delivery-status;
>> >> > boundary="BYB27129.1147699190/expms1.cites.uiuc.edu"
>> >> > Subject: Warning: could not send message for past 12 hours
>> >> > Auto-Submitted: auto-generated (warning-timeout)
>> >> > X-Original-To: c***@mydomain.com
>> >> > Content-Class: urn:content-classes:message
>> >> > Importance: normal
>> >> > Priority: normal
>> >> > X-AntiVirus: checked by Vexira MailArmor
>> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
>> >> > X-OriginalArrivalTime: 15 May 2006 13:15:46.0062 (UTC)
>> >> > FILETIME=[AD22A2E0:01C67821]
>> >> >
>> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu
>> >> > Content-Type: text/plain;
>> >> > charset="iso-8859-1"
>> >> > Content-Transfer-Encoding: 7bit
>> >> >
>> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu
>> >> > Content-Transfer-Encoding: 7bit
>> >> > Content-Type: message/delivery-status
>> >> >
>> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu
>> >> > Content-Transfer-Encoding: 7bit
>> >> > Content-Type: message/rfc822
>> >> >
>> >> > Return-Path: <c***@mydomain.com>
>> >> > Received: from relay7.cso.uiuc.edu (relay7.cso.uiuc.edu
>> >> > [128.174.5.108])
>> >> > by expms1.cites.uiuc.edu (MOS 3.4.8-GR)
>> >> > with ESMTP id BYA71319;
>> >> > Sun, 14 May 2006 20:14:05 -0500 (CDT)
>> >> > Received: from 65-100-121-11.albq.qwest.net
>> >> > (65-100-121-11.albq.qwest.net
>> >> > [65.100.121.11])
>> >> > by relay7.cso.uiuc.edu (8.13.6/8.13.6) with SMTP id k4F1DxO1005567
>> >> > for <jk***@uiuc.edu>; Sun, 14 May 2006 20:14:00 -0500 (CDT)
>> >> > Received: from [65.100.104.143] (helo=rzgj)
>> >> > by 65-100-121-11.albq.qwest.net with smtp (Exim 4.43)
>> >> > id 1FfRgq-0005Ll-2W; Sun, 14 May 2006 19:16:04 -0600
>> >> > Message-ID: <001101c677bc$d63963e5$8f686441@rzgj>
>> >> > From: "Amabel Sinclair" <c***@mydomain.com>
>> >> > To: <jk***@uiuc.edu>
>> >> > Subject: basics anarchy
>> >> > Date: Sun, 14 May 2006 19:07:17 -0600
>> >> > MIME-Version: 1.0
>> >> > Content-Type: multipart/related;
>> >> > type="multipart/alternative";
>> >> > boundary="----=_NextPart_000_000D_01C6778A.8B9EF361"
>> >> > X-Priority: 3
>> >> > X-MSMail-Priority: Normal
>> >> > X-Mailer: Microsoft Outlook Express 6.00.2800.1441
>> >> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>> >> > X-Spam-Score: 98
>> >> > X-Spam-Details: rule=tag_spam policy=tag score=98 mlx=98
>> >> > adultscore=4
>> >> > adjust=0 engine=2.5.0-06042601 definitions=3.0.0-06051419
>> >> > X-Spam-Flag: YES
>> >> > X-Spam-OrigSender: c***@mydomain.com
>> >> >
>> >> >
>> >> > --BYB27129.1147699190/expms1.cites.uiuc.edu-
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>