Flood of "System Administrator" Undeliverable SPAM, please help
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Flood of "System Administrator" Undeliverable... - 26.Mar.2008 5:51:55 PM
|
|
|
huffinagle
Posts: 33
Joined: 31.Mar.2005
From: McMinnville, OR, USA
Status: offline
|
Today I began to receive thousands of NDR email messages at various user email account throughout my organization.
It looks like a spammer is using the SMTP address of my users in their spam messages. When those spam messages do not reach their intended mailbox and generate an NDR, the NDR is sent to my user.
Is there any possible solution to this crisis?
Literally thousands of spam are entering my system unhindered.
Thank you for helping, Matthew
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 3:26:49 AM
|
|
|
Nicks
Posts: 2543
Joined: 17.Mar.2003
Status: offline
|
Hi Matthew,
By default, GFI MailEssentials does not scan Delivery Status Notifications (DSN) messages, which include NDRs. This knowledgebase article explains how to enable this functionality in GFI MailEssenitals.
http://kbase.gfi.com/showarticle.asp?id=KBID003322
Let us know how it goes.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 7:25:23 AM
|
|
|
dadams
Posts: 8
Joined: 31.Oct.2006
Status: offline
|
Nicks,
I have made the indicated change to the registry and I am still getting these emails unfiltered. I added keywords such as "Undeliverable" to the keyword list and still no effect.
What's going on? I'm having users groaning big time about having to delete 200-300 of these messages.
Thanks,
Don
_____________________________
Don
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 8:09:41 AM
|
|
|
Eric
Posts: 17
Joined: 24.Jul.2007
Status: offline
|
I'm having the same exact problem. I haven't tried the registry hack yet, but I will.
Eric
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 10:07:16 AM
|
|
|
rodent69
Posts: 2
Joined: 27.Mar.2008
Status: offline
|
I did the registry change to enable NDR scanning several days ago. Enabled recipient filtering, enabled tarpitting and disabled NDRs on Exchange. Created keyword blocks for undeliverables. I still get messages from 'System Administrator' like
The following recipient(s) could not be reached:
jeffreycsmithdd@cerberian.com on 3/27/08 6:25 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail.cerberian.com #5.0.0 X-Postfix; host /kolab/var/kolab/lmtp[/kolab/var/kolab/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command)>
and
The following recipient(s) could not be reached:
lorrainedurrettdd@fwtinc.com on 3/26/08 11:00 PM
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
< mtac5.prodigy.net #5.5.0 SMTP; 554 Too many connections from origin>
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 10:35:39 AM
|
|
|
Nicks
Posts: 2543
Joined: 17.Mar.2003
Status: offline
|
Hi,
If the suggestion does not work, please contact GFI support, since we would need to take it on a case by case basis. Please enable debug, and wait for the problem to be reproduced, and send us samples of the NDR messages that you are receiving together with the troubleshooting files.
More information on how to enable debug, and how to generate the troubleshooting files can be found at http://forums.gfi.com/General_Information/m_900727096/tm.htm
Thank you
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 12:54:22 PM
|
|
|
rodent69
Posts: 2
Joined: 27.Mar.2008
Status: offline
|
Like I would be posting in forums if I had a current support contract.
The bayesian tag is all over the headers on the one I looked at, but not showing up on the outlook subject line.
My email changed to rod@ks.com protect the innocent ... me.
My Outlook shows the last untagged subject line 'Undeliverable: RE: Discount. Coupon #enmpo'
Microsoft Mail Internet Headers Version 2.0
Received: from mail pickup service by ks.com with Microsoft SMTPSVC;
Thu, 27 Mar 2008 11:11:34 -0500
x-endofinjectedxheaders:3179
Thread-Topic: rod@ks.com - Bayesian Filter detected spam - Returned mail: see transcript for details
Received: from mail2.ewetel.de ([212.6.122.116]) by ks.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 27 Mar 2008 11:11:30 -0500
Received: from localhost (localhost) by mail2.ewetel.de (8.12.1/8.12.9) id m2RGBT2e028027; Thu, 27 Mar 2008 17:11:29 +0100 (CET)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Date: Thu, 27 Mar 2008 17:11:29 +0100 (CET)
From: Mail Delivery Subsystem <MAILER-DAEMON@mail2.ewetel.de>
Message-ID: <200803271611.m2RGBT2e028027@mail2.ewetel.de>
To: <rod@ks.com>
MIME-Version: 1.0
Content-Type: multipart/report;
report-type=delivery-status;
boundary="m2RGBT2e028027.1206634289/mail2.ewetel.de"
Subject: rod@ks.com - Bayesian Filter detected spam - Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-CheckCompat: OK
Return-Path:
X-OriginalArrivalTime: 27 Mar 2008 16:11:30.0557 (UTC) FILETIME=[37DE62D0:01C89025]
--m2RGBT2e028027.1206634289/mail2.ewetel.de
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
--m2RGBT2e028027.1206634289/mail2.ewetel.de
Content-Transfer-Encoding: 7bit
Content-Type: message/delivery-status
--m2RGBT2e028027.1206634289/mail2.ewetel.de
Content-Transfer-Encoding: 7bit
Content-Type: message/rfc822
Return-Path: <rod@ks.com>
Received: from 30bff7d5958b45c (shpd-78-36-185-54.vologda.ru [78.36.185.54])
by mail2.ewetel.de (8.12.1/8.12.9) with SMTP id m2RGBP2e027902
for <rod@kid-systeme.de>; Thu, 27 Mar 2008 17:11:27 +0100 (CET)
Date: Thu, 27 Mar 2008 17:11:25 +0100 (CET)
X-Envelope-To: <rod@kid-systeme.de>
X-Originating-IP: [78.0.83.07]
X-Originating-Email: [rod@kid-systeme.de]
X-Sender: rod@kid-systeme.de
Message-Id: <20080327101231.22641.qmail@30bff7d5958b45c>
To: <rod@kid-systeme.de>
Subject: RE: Discount. Coupon #enmpo
From: <rod@kid-systeme.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-CheckCompat: OK
--m2RGBT2e028027.1206634289/mail2.ewetel.de--
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 27.Mar.2008 1:41:55 PM
|
|
|
huffinagle
Posts: 33
Joined: 31.Mar.2005
From: McMinnville, OR, USA
Status: offline
|
Nick,
I made the registry edit for DSN and restarted IIS Admin Service. That allowed ME to analyze the NDR email entering my system.
I have added many keywords to my "subject" keyword checker. Most of these are being blocked now, however, some still enter. I don't understand how this is possible.
For example: The word "viagra" is most certainly in my keyword checker for subjects, but NDR spam with that word in the subject line is still entering the system.
Do you have any suggestions?
Matthew
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 28.Mar.2008 6:55:44 AM
|
|
|
wrabbit
Posts: 13
Joined: 18.Aug.2006
Status: offline
|
We've recently had a deluge of these. I've been experimenting this morning with the best way of tackling.
I've made the registry change, and the NDRs are now passing through GFI. However there are a few issues.
My test scenario is ME 12 and Exchange 2000. And sending the NDR generating e-mail through a seperate Exchange 2000 server.
Keyword checking, either body or subject, for standard spam words does not work. The body is not analysed at all as far as I can see, probably due to the message being of a special type. The reason subject checking does not work is because the mail actually has 2 sets of headers - the original sending one and the bounce one. This results in 2 subject lines:
Subject: Delivery Status Notification (Failure)
Subject: casino
It seems only the first is analysed by GFI. I've verified this by sending a standard message (ie not an NDR) with 2 subjects eg
subject: Perfectly normal e-mail
subject: Casino
The e-mail does not get caught by the keyword subject checking (despite Casino being listed) as only the first subject is checked, and Outlook displays the second subject. As far as I'm concerned this is a bug - all subjects within the headers should be checked.
Working on this basis I then added the word (Failure) to the header checking. The mails are then caught. This is far from ideal as it means that I'm working on the basis of all NDRs being tagged as spam.
Next was the issue of what happens to the mail when it is IDed as spam. Most of our spam catching actually gets forwarded to an internal e-mail address eg spamreview@ourdomain.com The mails were never arriving there. The log file showed the were IDed as spam, and were being forwarded. They never arrived. When I modified the action to Tag the mails were delivered to the recipient, with the first subject in the headers modified.
eg Subject: +AFs-SPAM+AF0- - Delivery Status Notification (Failure) - Found word(s) (Failure) in the subject
So the summary is that the NDR checking for Exchange generated bounces is practically useless as it's so limited in its operation. I'm gathering together some more NDR spam from other types of mail servers to see if I can at least reduce the volume.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 28.Mar.2008 11:13:47 AM
|
|
|
huffinagle
Posts: 33
Joined: 31.Mar.2005
From: McMinnville, OR, USA
Status: offline
|
WRABBIT,
That is very good analysis.
GFI, can you please investigate the "second subject" issue wrabbit illustrates in his post above?
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 1.Apr.2008 4:08:31 AM
|
|
|
wrabbit
Posts: 13
Joined: 18.Aug.2006
Status: offline
|
I've now got another client who is complaining about the hundreds of NDR spam they are getting. Blocking all NDRs is most definitely not an option at this site. And of course the people who are most effected are always senior management - you know, the decision makers.
We really need a viable option for this.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 1.Apr.2008 4:27:16 AM
|
|
|
LukeQuake
Posts: 20
Joined: 18.Mar.2008
Status: offline
|
Exactly the same problem here as well...
I've sent an email to GFI Support this morning but all I've been told previous is that 'dealing with backscatter is on the list of improvments for GFI'....
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 1.Apr.2008 4:50:23 AM
|
|
|
andih98uk
Posts: 16
Joined: 31.Mar.2008
Status: offline
|
I've been having this problem as well but doing all the improvements here it's pretty much come under control apart from a few.
Another thing to check is go into your whitelist and check there are no entried with @yourdomain.com in as these will bypass the keyword check.
If you need to search, copy the config.mdb from the program files\gfi\mailessentials directory and edit in access.
i found quite a few of my user accounts in there.
|
|
|
|
|
RE: Flood of "System Administrator" Undeliver... - 1.Apr.2008 5:30:40 AM
|
|
|
andreasoc
Posts: 11
Joined: 18.May2006
Status: offline
|
quote:
ORIGINAL: Nicks
Hi Matthew,
By default, GFI MailEssentials does not scan Delivery Status Notifications (DSN) messages, which include NDRs. This knowledgebase article explains how to enable this functionality in GFI MailEssenitals.
http://kbase.gfi.com/showarticle.asp?id=KBID003322
Let us know how it goes.
thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
