Question

Locked

Failure Notice - Email Spoofing or else?

By samlhc ·
Users claim they get failure notice like below. They did sent the said email, but they didn't sent to the said recipient in failure notice. This sometimes happen to external or internal recipient. Even sender(different domain) send us email and may got similar problem. This problem is not happen to one account only.

Exchange server 2003 -(Windows 2k3 SBS SP1 std). This server is a serve as AD and Exchange. There are no public DNS, but it work as a DNS server for local network. Client PC point their DNS to this server and ISP.
This server was not open, the exchange not suppose be connected remotely. Client outside are not able collect email remotely.
Relay for Smtp virtual server has been set to only in the list. And the list is empty. Smarthost was point to our webmail hosting. Reverse Dns lookup is checked. No MX record for us, because webmail hosting are hosting it.

We are using pop3 connector. We use third party webmail hosting. We don't have any SMTP connector, but we do running SMTP virtual server.
When I query the said email using system manager at exchange, I can't find the said recipient. Even the log did show the email did sent to certain recipient, but the unknown recipient was not listed. This problem was not due to single client. Even sometime when sending email internally, might get such failure notice.

What else can spoof the exactly same sender and same subject? So could it be our exchange been hijacked/infected? Or maybe is one of the client PC are infected??
Any advise are appreciated.
Thank you.

external mail failure notice
-----Original Message-----
From: MAILER-DAEMON@ourmail.hosting.com
[mailto:MAILER-DAEMON@ourmail.hosting.com]
Sent: Wednesday, November 07, 2007 9:46 AM
To: User
Subject: failure notice
Hi. This is the qmail-send program at host.ourmail.hosting.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<jr@jrtr.org>:
Sorry. Although I'm listed as a best-preference MX or A for that host,
it isn't in my control/locals file, so I don't treat it as local.
(#5.4.6)
--- Below this line is a copy of the message.
Return-Path: <use@domainX.com>
Received: (qmail 15394 invoked from network); 7 Nov 2007 09:36:35 +0800
Received: from 111..in-addr.arpa. (HELO domainX.com)
(111.111.111.111)
by ourmail.hosting.com with SMTP; 7 Nov 2007 09:36:35 +0800
Subject: RE: Holiday
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C820DF.B2CB6D72"
Date: Wed, 7 Nov 2007 09:44:12 +0800
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID:
<F9DD00D4D399214B9B65274AADE136DCA9407A@myserver.domain.cal>
In-Reply-To:
<F9DD00D4D399214B9B65274AADE136DCA94078@myserver.domain.cal>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Holiday
thread-index: AcggHyr/nRbVR3wXTTCzLh8jBYpvMwAvTBfgAABEP6A=
References:
<F9DD00D4D399214B9B65274AADE136DCA94078@myserver.domain.cal>
From: "User" <user@domainX.com>
This is a multi-part message in MIME format.
___________________________________________________________
Internal mail failure notice

-----Original Message-----
From: MAILER-DAEMON@ourmail.hosting.com
[mailto:MAILER-DAEMON@ourmail.hosting.com]
Sent: Thursday, 29 November, 2007 10:31 AM
To: tt
Subject: failure notice


Hi. This is the qmail-send program at host.ourmail.hosting.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<jramtu@avebe.com>:
212.178.222.20 does not like recipient.
Remote host said: 544 Unable to route to domain.
Giving up on 212.178.222.20.

--- Below this line is a copy of the message.

Return-Path: <tt@domainX.com>
Received: (qmail 3222 invoked from network); 29 Nov 2007 10:13:48 +0800
Received: from 111.111.in-addr(HELO domainX.com) (111.111.111.111)
by ourmail.hosting.com with SMTP; 29 Nov 2007 10:13:48 +0800
Subject: RE: down.
Date: Thu, 29 Nov 2007 10:16:04 +0800
Message-ID: <F9DD00D4D399214B9B65274AADE136DC7A4099@myserver.domain.cal>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C8322D.CB2DC270"
In-Reply-To: <F9DD00D4D399214B9B65274AADE136DC7A4098@myserver.domain.cal>
X-MS-Has-Attach:
Content-class: urn:content-classes:message
X-MS-TNEF-Correlator:
X-MimeOLE: Produced By Microsoft Exchange V6.5
Thread-Topic: down.
Thread-Index: AcgyLDrGfpxP7/8uQoGDIUfpFlmwBQAAMAbg
From: "tt" <tt@domainX.com>
To: "At" <at@domainX.com>,

This is a multi-part message in MIME format.

------_=_NextPart_001_01C8322D.CB2DC270
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Dear User,
=20

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

spoof the sender

by CG IT In reply to Failure Notice - Email Sp ...

the email hacks can spoof just about anything. They can even send you junk email using your own email address so it looks like you sent spam to yourself [but in actually it isn't you].

Collapse -

Spoofing

by samlhc In reply to spoof the sender

Dear CG,

THx. I know everyone can spoof, but there must be a source of spoofing happening around. Because these spoofed email are exacty same as the subject or message body and the person we sent. And it happen when we send to internal mail too. I need to know where the spoof coming from, and way to avoid it. Your kindly advise is appreciated.
Thank you.

Collapse -

Message has been deleted.

Collapse -

More Spam, eh? Is TR going to delete this account?

by seanferd In reply to Message has been deleted.

Or are they cleverly tracking the action?

Back to Networks Forum
5 total posts (Page 1 of 1)  

Hardware Forums