getting spammed by underliverables
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
getting spammed by underliverables - 24.Mar.2008 10:18:55 AM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
This morning my users are getting spammed by messages with the subject undeliverable: and then some text.
Why is this getting through GFI? I have been dragging them to the this is spam folder. What else should I do to prevent this?
This is one of the email headers...
Microsoft Mail Internet Headers Version 2.0
Received: from pawt001.vpispecialist.com ([68.15.35.33]) by pcecom.com with Microsoft SMTPSVC(6.0.3790.3959);
Mon, 24 Mar 2008 06:04:42 -0400
From: postmaster@vpi3pl.com
To: myemailaddress
Date: Mon, 24 Mar 2008 06:06:05 -0400
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci"
X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546
Message-ID: <o2d3gwhDC001ac748@pawt001.vpispecialist.com>
Subject: Delivery Status Notification (Failure)
Return-Path: <>
X-OriginalArrivalTime: 24 Mar 2008 10:04:42.0537 (UTC) FILETIME=[7AD3C990:01C88D96]
--9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci
Content-Type: text/plain; charset=unicode-1-1-utf-7
--9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci
Content-Type: message/delivery-status
--9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci
Content-Type: message/rfc822
Received: from g227197168.adsl.alicedsl.de ([92.227.197.168]) by pawt001.vpispecialist.com with Microsoft SMTPSVC(6.0.3790.1830);
Mon, 24 Mar 2008 06:06:04 -0400
Message-ID: <000601c88d96$03b87ff1$3ed18baa@mcbdqytq>
From: "ax baldemar" <myemailaddress>
To: "Forrest Kyle" <suiiljs@vpispecialist.com>
Subject: Give A Gift With Meaning
Date: Mon, 24 Mar 2008 08:17:13 +0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: myemailaddress
X-OriginalArrivalTime: 24 Mar 2008 10:06:04.0747 (UTC) FILETIME=[ABD409B0:01C88D96]
--9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci--
< Message edited by pcecom -- 24.Mar.2008 10:40:55 AM >
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 10:35:09 AM
|
|
|
joelong
Posts: 8
Joined: 6.Oct.2006
Status: offline
|
We got hit with this this weekend, too. A few users had over 250 of this messages alone.
From what i can tell, it's all backscatter, they all say they originally came from my users, so GFI won't touch this stuff, right?
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 2:10:01 PM
|
|
|
cai
Posts: 9
Joined: 25.Oct.2004
From: Austin, TX
Status: offline
|
I have one user that got hit with this today as well. What is troubling to me is the email addresses should not be getting through the filters as they are not whitelisted.
Thanks,
Jason
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 2:26:27 PM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
I have verified my domain is blacklisted and does not appear in the whitelist either. I added part of the subject to the keyword filter and they are still getting through. I get about 10 per hour.
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 2:41:57 PM
|
|
|
cai
Posts: 9
Joined: 25.Oct.2004
From: Austin, TX
Status: offline
|
I just found my problem, it was that my user's email was in the whitelist. I think it had been autolisted. I deleted it and now they are not getting anymore emails.
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 2:52:03 PM
|
|
|
pbparker
Posts: 19
Joined: 31.Aug.2006
Status: offline
|
We're getting crushed by these undeliverables as well.
My question is are these in fact true bounces of undeliverables from someone using our email as a sender? They're all bouncing back to a single email address.
EDIT - Argh.. I got some of the original emails bounced back in the undeliverables and they are in fact using our email addresses to send spam with. That sucks.
< Message edited by pbparker -- 24.Mar.2008 3:06:35 PM >
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 2:56:03 PM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
I would like to clarify this is happening to a single user for me as well, as far as I can tell at the moment.
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 2:58:40 PM
|
|
|
pbparker
Posts: 19
Joined: 31.Aug.2006
Status: offline
|
It's strange here too, out of the blue we got at least 250+ emails in the span of 15 minutes.
Luckily we have another addon for Exchange that allows us to route emails based on keywords, so I have anything with the word "Undeliverable" in the subject line being deleted at the moment and all is well.
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 3:14:21 PM
|
|
|
AbqBill
Posts: 180
Joined: 13.Apr.2005
Status: offline
|
All,
This type of spam is typically called backscatter.
Make sure that you're not using the "fake" NDR feature built into the MailEssentials product, particularly if you're running it on an SMTP gateway in front of your mail server. Doing this can make it possible to exploit your server to send backscatter.
Search this forum for the term backscatter for more information.
HTH,
Bill
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 3:31:22 PM
|
|
|
kharris
Posts: 14
Joined: 10.Aug.2007
Status: offline
|
I have one user that got hit with almost 500 of these "undeliverable" messages on Saturday evening (3/24/08). The message headers are very similar to what pcecom posted above.
I am currently running ME 11 in relay mode. My domain is blacklisted, and the user receiving these emails is not in the whitelist either. The other interesting thing is that very few of the messages are tagged as "newsender", and they are not in the whitelist either. I suppose since the sender is shown as "system administrator" might be why they're not tagged as new.
Another odd thing is that the ME Report for this recipient only shows 33 inbound messages, which is only a fraction of the messages that were received by this user. All of the sending IP's are external to my network, and are even blacklisted on several DNS BL sites. The DNS blacklists I am currently using are:
bl.spamcop.net
sbl-xbl.spamhaus.org
dnsbl.sorbs.net
I disabled 3 other DNS blacklist sources about two weeks ago because everything I've read says not to have more than a couple of sources, but it seems like we had less spam passing through the system when I had six enabled.
Any insight from GFI would be appreciated, it seems there is a wave of spam that bypasses ME every weekend, and then trickles in throughout the week. Thanks,
Keith
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 3:36:56 PM
|
|
|
kharris
Posts: 14
Joined: 10.Aug.2007
Status: offline
|
Thanks Bill, I was about to say that I don't generate NDRs for any of the modules, but then I found that I actually had them set for the Header Checking module. I just disabled it, so we'll see if that makes a difference.
< Message edited by kharris -- 24.Mar.2008 4:34:17 PM >
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 3:41:35 PM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
Check this thread.
http://forums.gfi.com/m_900747492/mpage_1/key_/tm.htm#900747496
Apparently ME will ignore processing NDR's unless a registry change is made. I just made the change to my server. Time will tell I guess.
If I understand everything that I have read I think the problem is not related to NDR's coming from our server. The fact that ME is sending out NDR's should be irrelevant. The NDR's we are receiving are not real NDR's, but rather spam masquerading as an NDR since most spam filters do not process NDR's and will get through to the user's mailbox.
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 4:42:16 PM
|
|
|
kharris
Posts: 14
Joined: 10.Aug.2007
Status: offline
|
Thanks pcecom, I didn't realize NDRs were not scanned by ME. that would explain why these types of messages aren't being tagged and are passing through so easily. By making the registry change ME will scan NDRs and DSNs just like normal mail, right?
What about feeding the Bayesian filter with these "undeliverable" messages? Even though they are spam, they contain language that is common to real NDRs. Can this possibly cause legit NDRs to be identified by the bayesian filter as spam?
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 4:48:12 PM
|
|
|
pcecom
Posts: 16
Joined: 14.Apr.2005
Status: offline
|
I am not sure on the bayesian filter. My this is spam folder is still full of NDR's I dumped there this morning. Not sure why they are not processing. I created a bunch of keywords to pickup the undeliverables. I seem be getting a couple but they are new keywords. I think I will filter the word undeliverable for now.
|
|
|
|
|
RE: getting spammed by underliverables - 24.Mar.2008 5:01:03 PM
|
|
|
kharris
Posts: 14
Joined: 10.Aug.2007
Status: offline
|
yeah, mine isn't processing the undliverables sent from "system administrator" in any of the public folders either. So I guess it won't affect the bayesian filter if ME won't even process these mails. I wonder how we can identify them as spam to ME?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
