getting spammed by underliverables

getting spammed by underliverables (Full Version)

All Forums >> [Content Security] >> GFI MailEssentials for Exchange/SMTP

Message

pcecom -> getting spammed by underliverables (24.Mar.2008 10:18:55 AM)
This morning my users are getting spammed by messages with the subject undeliverable: and then some text. Why is this getting through GFI? I have been dragging them to the this is spam folder. What else should I do to prevent this? This is one of the email headers... Microsoft Mail Internet Headers Version 2.0 Received: from pawt001.vpispecialist.com ([68.15.35.33]) by pcecom.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Mar 2008 06:04:42 -0400 From: postmaster@vpi3pl.com To: myemailaddress Date: Mon, 24 Mar 2008 06:06:05 -0400 MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci" X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546 Message-ID: <o2d3gwhDC001ac748@pawt001.vpispecialist.com> Subject: Delivery Status Notification (Failure) Return-Path: <> X-OriginalArrivalTime: 24 Mar 2008 10:04:42.0537 (UTC) FILETIME=[7AD3C990:01C88D96] --9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci Content-Type: text/plain; charset=unicode-1-1-utf-7 --9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci Content-Type: message/delivery-status --9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci Content-Type: message/rfc822 Received: from g227197168.adsl.alicedsl.de ([92.227.197.168]) by pawt001.vpispecialist.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 24 Mar 2008 06:06:04 -0400 Message-ID: <000601c88d96$03b87ff1$3ed18baa@mcbdqytq> From: "ax baldemar" <myemailaddress> To: "Forrest Kyle" <suiiljs@vpispecialist.com> Subject: Give A Gift With Meaning Date: Mon, 24 Mar 2008 08:17:13 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Return-Path: myemailaddress X-OriginalArrivalTime: 24 Mar 2008 10:06:04.0747 (UTC) FILETIME=[ABD409B0:01C88D96] --9B095B5ADSN=_01C882C7095C052C003500AApawt001.vpispeci--

joelong -> RE: getting spammed by underliverables (24.Mar.2008 10:35:09 AM)
We got hit with this this weekend, too. A few users had over 250 of this messages alone. From what i can tell, it's all backscatter, they all say they originally came from my users, so GFI won't touch this stuff, right?

cai -> RE: getting spammed by underliverables (24.Mar.2008 2:10:01 PM)
I have one user that got hit with this today as well. What is troubling to me is the email addresses should not be getting through the filters as they are not whitelisted. Thanks, Jason

pcecom -> RE: getting spammed by underliverables (24.Mar.2008 2:26:27 PM)
I have verified my domain is blacklisted and does not appear in the whitelist either. I added part of the subject to the keyword filter and they are still getting through. I get about 10 per hour.

cai -> RE: getting spammed by underliverables (24.Mar.2008 2:41:57 PM)
I just found my problem, it was that my user's email was in the whitelist. I think it had been autolisted. I deleted it and now they are not getting anymore emails.

pbparker -> RE: getting spammed by underliverables (24.Mar.2008 2:52:03 PM)
We're getting crushed by these undeliverables as well. My question is are these in fact true bounces of undeliverables from someone using our email as a sender? They're all bouncing back to a single email address. EDIT - Argh.. I got some of the original emails bounced back in the undeliverables and they are in fact using our email addresses to send spam with. That sucks.

pcecom -> RE: getting spammed by underliverables (24.Mar.2008 2:56:03 PM)
I would like to clarify this is happening to a single user for me as well, as far as I can tell at the moment.

pbparker -> RE: getting spammed by underliverables (24.Mar.2008 2:58:40 PM)
It's strange here too, out of the blue we got at least 250+ emails in the span of 15 minutes. Luckily we have another addon for Exchange that allows us to route emails based on keywords, so I have anything with the word "Undeliverable" in the subject line being deleted at the moment and all is well.

AbqBill -> RE: getting spammed by underliverables (24.Mar.2008 3:14:21 PM)
All, This type of spam is typically called backscatter. Make sure that you're not using the "fake" NDR feature built into the MailEssentials product, particularly if you're running it on an SMTP gateway in front of your mail server. Doing this can make it possible to exploit your server to send backscatter. Search this forum for the term backscatter for more information. HTH, Bill

kharris -> RE: getting spammed by underliverables (24.Mar.2008 3:31:22 PM)
I have one user that got hit with almost 500 of these "undeliverable" messages on Saturday evening (3/24/08). The message headers are very similar to what pcecom posted above. I am currently running ME 11 in relay mode. My domain is blacklisted, and the user receiving these emails is not in the whitelist either. The other interesting thing is that very few of the messages are tagged as "newsender", and they are not in the whitelist either. I suppose since the sender is shown as "system administrator" might be why they're not tagged as new. Another odd thing is that the ME Report for this recipient only shows 33 inbound messages, which is only a fraction of the messages that were received by this user. All of the sending IP's are external to my network, and are even blacklisted on several DNS BL sites. The DNS blacklists I am currently using are: bl.spamcop.net sbl-xbl.spamhaus.org dnsbl.sorbs.net I disabled 3 other DNS blacklist sources about two weeks ago because everything I've read says not to have more than a couple of sources, but it seems like we had less spam passing through the system when I had six enabled. Any insight from GFI would be appreciated, it seems there is a wave of spam that bypasses ME every weekend, and then trickles in throughout the week. Thanks, Keith

kharris -> RE: getting spammed by underliverables (24.Mar.2008 3:36:56 PM)
Thanks Bill, I was about to say that I don't generate NDRs for any of the modules, but then I found that I actually had them set for the Header Checking module. I just disabled it, so we'll see if that makes a difference.

pcecom -> RE: getting spammed by underliverables (24.Mar.2008 3:41:35 PM)
Check this thread. http://forums.gfi.com/m_900747492/mpage_1/key_/tm.htm#900747496 Apparently ME will ignore processing NDR's unless a registry change is made. I just made the change to my server. Time will tell I guess. If I understand everything that I have read I think the problem is not related to NDR's coming from our server. The fact that ME is sending out NDR's should be irrelevant. The NDR's we are receiving are not real NDR's, but rather spam masquerading as an NDR since most spam filters do not process NDR's and will get through to the user's mailbox.

kharris -> RE: getting spammed by underliverables (24.Mar.2008 4:42:16 PM)
Thanks pcecom, I didn't realize NDRs were not scanned by ME. that would explain why these types of messages aren't being tagged and are passing through so easily. By making the registry change ME will scan NDRs and DSNs just like normal mail, right? What about feeding the Bayesian filter with these "undeliverable" messages? Even though they are spam, they contain language that is common to real NDRs. Can this possibly cause legit NDRs to be identified by the bayesian filter as spam?

pcecom -> RE: getting spammed by underliverables (24.Mar.2008 4:48:12 PM)
I am not sure on the bayesian filter. My this is spam folder is still full of NDR's I dumped there this morning. Not sure why they are not processing. I created a bunch of keywords to pickup the undeliverables. I seem be getting a couple but they are new keywords. I think I will filter the word undeliverable for now.

kharris -> RE: getting spammed by underliverables (24.Mar.2008 5:01:03 PM)
yeah, mine isn't processing the undliverables sent from "system administrator" in any of the public folders either. So I guess it won't affect the bayesian filter if ME won't even process these mails. I wonder how we can identify them as spam to ME?

Page: [1] 2 3 next > >>