Junk emails from System Administrator!!

C

chris menzies

I have a user who is getting dozens of emails similar to...............

From: System Administrator
Sent: 09 April 2008 14:01
To: Martin Moore
Subject: Undeliverable: Undelivered Mail Returned to Sender

Your message did not reach some or all of the intended recipients.

Subject: [*****SPAM*****] УÑлуги по перевозке мебели квартир, офиÑов,
дач по МоÑкве и МО
Sent: 09/04/2008 12:12

The following recipient(s) could not be reached:

(e-mail address removed) on 09/04/2008 14:00
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
< kair.permregion.ru #5.7.1 X-Postfix; Your email has spam-like
header content. (postmaster)>

................and yes, his name is Martin Moore!!

What could be causing these to appear in his INBOX and not his JUNK-EMAIL
folder?
 
B

Brian Tillman

chris menzies said:
I have a user who is getting dozens of emails similar
to............... ....snip...
What could be causing these to appear in his INBOX and not his
JUNK-EMAIL folder?

Non-delivery reports are generally not considered spam. What this message
indicates to me is that someone has hijacked Mr. Moore's mail address and
used it as the sender address for a slew of spam. Because this spam is
being caught and rejected or is being delivered to invalid addresses, Mr.
Moore (since he appears to be the sender) is getting the NDRs.
 
C

chris menzies

Thank you Brian :eek:)

So how would you suggest we stop this? He is now receiving around 5 emails
every minute at the moment, directly to his inbox. We are running a McAfee
virusscan as well as a SpyBot scan to make sure nothing suspect is on the
PC.............would you suggest another application or process in
determining the source of this problem?
 
B

Brian Tillman

chris menzies said:
So how would you suggest we stop this? He is now receiving around 5
emails every minute at the moment, directly to his inbox. We are
running a McAfee virusscan as well as a SpyBot scan to make sure
nothing suspect is on the PC.............would you suggest another
application or process in determining the source of this problem?

It's highly unlikely that his PC is the source of the problem. Typically,
it would be the PC of someone with his address in the address book that has
been compromised and is now a spambot. There's little you can do. It
should taper off after a while. A rule may be able to ameliorate the volume
of messages. See if there's something constant in the subject and use a
rule that looks for that string in the subject.
 
V

VanguardLH

chris said:
I have a user who is getting dozens of emails similar to...............

From: System Administrator
Sent: 09 April 2008 14:01
To: Martin Moore
Subject: Undeliverable: Undelivered Mail Returned to Sender

Your message did not reach some or all of the intended recipients.

Subject: [*****SPAM*****] ÃáÛãÓØ ßÞ ßÕàÕÒÞ×ÚÕ ÜÕÑÕÛØ ÚÒÐàâØà, ÞäØáÞÒ,
ÔÐç ßÞ ¼ÞáÚÒÕ Ø ¼¾
Sent: 09/04/2008 12:12

The following recipient(s) could not be reached:

(e-mail address removed) on 09/04/2008 14:00
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
< kair.permregion.ru #5.7.1 X-Postfix; Your email has spam-like
header content. (postmaster)>

...............and yes, his name is Martin Moore!!

What could be causing these to appear in his INBOX and not his JUNK-EMAIL
folder?

Is there an attachment to this NDR (non-delivery report) email? If so,
it could be a bogus NDR to deliver spam. The spammer sends you their
crap disguised as an NDR but includes an attachment that contains their
spam. The recipient gets the NDR, doesn't recognize anything regarding
it (i.e., they don't remember sending anything to the claimed original
recipient), and then opens the attachment figuring on looking at was the
original e-mail that they sent only to then see the spammer's crap.

If there is no attachment, or it is not spam, then someone is spewing
out their spam while using your e-mail address as theirs. Anyone can
claim any e-mail address they want. Try it. In an e-mail client, put
whatever e-mail address you want as your own in the Email or Reply-To
fields in the e-mail account defined in that e-mail client. In a
company that uses Exchange, they can have Exchange override any From or
Reply-To headers that the employee added and force those fields to have
values assigned to that employee's mailbox (i.e., the employee cannot
lie about through which account they sent their e-mail). That is only
available in Exchange, not when using SMTP where the client states what
is their e-mail address.

You cannot stop someone sending out spam while claiming to have your
e-mail address. Then when the spammer hits an invalid username at a
valid domain or the spam source is blacklisted, the recipient is sending
back the NDR but the only e-mail address they have is what was specified
in the headers - and those values were specified by the sender! A
properly configured mail server will reject an undeliverable e-mail
DURING a mail session with the sending mail host. That means only the
sending mail host gets the rejection and will have to send back the NDR
to whomever used that host to send the spam. If the receiving mail
server is misconfigured and accepts all e-mails and then checks later if
they are deliverable, there is no longer a mail session between the
sending and receiving mail hosts for the receiving mail host to know
where to send back the NDR, so it uses the headers in the e-mail but
those were added by the sender! Only if the rejection is made DURING
the mail session between sending and receiving mail hosts can the
receiving mail host guarantee that it delivers the NDR to the proper
sender. It is then up to the sender to figure out to whom the NDR gets
delivered. It that host was a redirector (i.e., forwarding e-mails)
then it is too late to send back the NDR because there is no longer a
mail session between the prior sending mail host and the receiving host
to which it later connected.

Someone is claiming your e-mail address as theirs. Nothing you can do
about it. You will have to wait until the spammer decides to use
another bogus e-mail address.
 
V

VanguardLH

chris said:
Thank you Brian :eek:)

So how would you suggest we stop this? He is now receiving around 5 emails
every minute at the moment, directly to his inbox. We are running a McAfee
virusscan as well as a SpyBot scan to make sure nothing suspect is on the
PC.............would you suggest another application or process in
determining the source of this problem?

Have him define a rule to move or delete e-mails that contain
"report-type=delivery-status" in the message headers. NDRs are a MIME
type in the body of the message, so there is a corresponding header to
declare that MIME part in the body. However, for spam disguised as an
NDR (and with an attachment that contains the spam that they actually
wanted to deliver), they won't have this header.

I find NDRs of little value. If I'm using the wrong e-mail address to
send a message to someone, I won't be able to send them another e-mail
(to the same wrong e-mail address) to ask them what is their correct
e-mail address. My rule moves NDR e-mails into my Junk folder, mark
them as read, and enabled auto-archiving on the Junk folder to delete
items older than 1 week. So I could retrieve an NDR if I expected an
immediate response to my original message but I won't get nuisanced when
they arrive.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top