Flood of "System Administrator" Undeliverable SPAM, please help (Full Version)

All Forums >> [Content Security] >> GFI MailEssentials for Exchange/SMTP



Message

huffinagle -> Flood of "System Administrator" Undeliverable SPAM, please help (26.Mar.2008 5:51:55 PM)

Today I began to receive thousands of NDR email messages at various user email account throughout my organization.

It looks like a spammer is using the SMTP address of my users in their spam messages. When those spam messages do not reach their intended mailbox and generate an NDR, the NDR is sent to my user.

Is there any possible solution to this crisis?

Literally thousands of spam are entering my system unhindered.

Thank you for helping, Matthew



Nicks -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 3:26:49 AM)

Hi Matthew,

By default, GFI MailEssentials does not scan Delivery Status Notifications (DSN) messages, which include NDRs. This knowledgebase article explains how to enable this functionality in GFI MailEssenitals.

http://kbase.gfi.com/showarticle.asp?id=KBID003322

Let us know how it goes.



dadams -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 7:25:23 AM)

Nicks,

I have made the indicated change to the registry and I am still getting these emails unfiltered.  I added keywords such as "Undeliverable" to the keyword list and still no effect.

What's going on?  I'm having users groaning big time about having to delete 200-300 of these messages.

Thanks,

Don



Eric -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 8:09:41 AM)

I'm having the same exact problem.  I haven't tried the registry hack yet, but I will.

Eric



rodent69 -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 10:07:16 AM)

I did the registry change to enable NDR scanning several days ago.  Enabled recipient filtering, enabled tarpitting and disabled NDRs on Exchange.  Created keyword blocks for undeliverables.  I still get messages from 'System Administrator' like

The following recipient(s) could not be reached:

     jeffreycsmithdd@cerberian.com on 3/27/08 6:25 AM
           The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
           < mail.cerberian.com #5.0.0 X-Postfix; host /kolab/var/kolab/lmtp[/kolab/var/kolab/lmtp]    said: 550-Mailbox unknown.  Either there is no mailbox associated with this    550-name or you do not have authorization to see it. 550 5.1.1 User unknown    (in reply to RCPT TO command)>

and

The following recipient(s) could not be reached:

     lorrainedurrettdd@fwtinc.com on 3/26/08 11:00 PM
           There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
           < mtac5.prodigy.net #5.5.0 SMTP; 554 Too many connections from origin>



dadams -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 10:12:44 AM)

As stated before I have made the registry change and rebooted my email server.  I have been looking through the GFI monitor and these emails are NOT passing through it before or after the change.

GFI,

Please let us know if you are looking further into this issue.  The registry change you have promoted for this issue DOES NOT work.[:@]

Thanks.



Nicks -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 10:35:39 AM)

Hi,

If the suggestion does not work, please contact GFI support, since we would need to take it on a case by case basis. Please enable debug, and wait for the problem to be reproduced, and send us samples of the NDR messages that you are receiving together with the troubleshooting files.

More information on how to enable debug, and how to generate the troubleshooting files can be found at http://forums.gfi.com/General_Information/m_900727096/tm.htm

Thank you



rodent69 -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 12:54:22 PM)

Like I would be posting in forums if I had a current support contract.

The bayesian tag is all over the headers on the one I looked at, but not showing up on the outlook subject line.
My email changed to rod@ks.com protect the innocent ... me.

My Outlook shows the last untagged subject line 'Undeliverable: RE: Discount. Coupon #enmpo'

Microsoft Mail Internet Headers Version 2.0
Received: from mail pickup service by ks.com with Microsoft SMTPSVC;
    Thu, 27 Mar 2008 11:11:34 -0500
x-endofinjectedxheaders:3179
Thread-Topic: rod@ks.com - Bayesian Filter detected spam - Returned mail: see transcript for details
Received: from mail2.ewetel.de ([212.6.122.116]) by ks.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 27 Mar 2008 11:11:30 -0500
Received: from localhost (localhost) by mail2.ewetel.de (8.12.1/8.12.9) id m2RGBT2e028027; Thu, 27 Mar 2008 17:11:29 +0100 (CET)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Date: Thu, 27 Mar 2008 17:11:29 +0100 (CET)
From: Mail Delivery Subsystem <MAILER-DAEMON@mail2.ewetel.de>
Message-ID: <200803271611.m2RGBT2e028027@mail2.ewetel.de>
To: <rod@ks.com>
MIME-Version: 1.0
Content-Type: multipart/report;
   report-type=delivery-status;
   boundary="m2RGBT2e028027.1206634289/mail2.ewetel.de"
Subject: rod@ks.com - Bayesian Filter detected spam - Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-CheckCompat: OK
Return-Path:
X-OriginalArrivalTime: 27 Mar 2008 16:11:30.0557 (UTC) FILETIME=[37DE62D0:01C89025]

--m2RGBT2e028027.1206634289/mail2.ewetel.de
Content-Type: text/plain;
   charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

--m2RGBT2e028027.1206634289/mail2.ewetel.de
Content-Transfer-Encoding: 7bit
Content-Type: message/delivery-status

--m2RGBT2e028027.1206634289/mail2.ewetel.de
Content-Transfer-Encoding: 7bit
Content-Type: message/rfc822

Return-Path: <rod@ks.com>
Received: from 30bff7d5958b45c (shpd-78-36-185-54.vologda.ru [78.36.185.54])
   by mail2.ewetel.de (8.12.1/8.12.9) with SMTP id m2RGBP2e027902
   for <rod@kid-systeme.de>; Thu, 27 Mar 2008 17:11:27 +0100 (CET)
Date: Thu, 27 Mar 2008 17:11:25 +0100 (CET)
X-Envelope-To: <rod@kid-systeme.de>
X-Originating-IP: [78.0.83.07]
X-Originating-Email: [rod@kid-systeme.de]
X-Sender: rod@kid-systeme.de
Message-Id: <20080327101231.22641.qmail@30bff7d5958b45c>
To: <rod@kid-systeme.de>
Subject: RE: Discount. Coupon #enmpo
From: <rod@kid-systeme.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-CheckCompat: OK


--m2RGBT2e028027.1206634289/mail2.ewetel.de--



huffinagle -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (27.Mar.2008 1:41:55 PM)

Nick,

I made the registry edit for DSN and restarted IIS Admin Service. That allowed ME to analyze the NDR email entering my system.

I have added many keywords to my "subject" keyword checker. Most of these are being blocked now, however, some still enter. I don't understand how this is possible.

For example: The word "viagra" is most certainly in my keyword checker for subjects, but NDR spam with that word in the subject line is still entering the system.

Do you have any suggestions?

Matthew



wrabbit -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (28.Mar.2008 6:55:44 AM)

We've recently had a deluge of these.  I've been experimenting this morning with the best way of tackling.

I've made the registry change, and the NDRs are now passing through GFI.  However there are a few issues.

My test scenario is ME 12 and Exchange 2000.  And sending the NDR generating e-mail through a seperate Exchange 2000 server.

Keyword checking, either body or subject, for standard spam words does not work.  The body is not analysed at all as far as I can see, probably due to the message being of a special type.  The reason subject checking does not work is because the mail actually has 2 sets of headers - the original sending one and the bounce one.  This results in 2 subject lines:

Subject: Delivery Status Notification (Failure)
Subject: casino

It seems only the first is analysed by GFI.  I've verified this by sending a standard message (ie not an NDR) with 2 subjects eg
subject: Perfectly normal e-mail
subject: Casino

The e-mail does not get caught by the keyword subject checking (despite Casino being listed) as only the first subject is checked, and Outlook displays the second subject.  As far as I'm concerned this is a bug - all subjects within the headers should be checked.

Working on this basis I then added the word (Failure) to the header checking.  The mails are then caught.  This is far from ideal as it means that I'm working on the basis of all NDRs being tagged as spam.

Next was the issue of what happens to the mail when it is IDed as spam.  Most of our spam catching actually gets forwarded to an internal e-mail address eg spamreview@ourdomain.com  The mails were never arriving there.  The log file showed the were IDed as spam, and were being forwarded.  They never arrived.  When I modified the action to Tag the mails were delivered to the recipient, with the first subject in the headers modified.
eg Subject: +AFs-SPAM+AF0- - Delivery Status Notification (Failure) - Found word(s) (Failure) in the subject

So the summary is that the NDR checking for Exchange generated bounces is practically useless as it's so limited in its operation.  I'm gathering together some more NDR spam from other types of mail servers to see if I can at least reduce the volume.



huffinagle -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (28.Mar.2008 11:13:47 AM)

WRABBIT,

That is very good analysis.

GFI, can you please investigate the "second subject" issue wrabbit illustrates in his post above?



wrabbit -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (1.Apr.2008 4:08:31 AM)

I've now got another client who is complaining about the hundreds of NDR spam they are getting.  Blocking all NDRs is most definitely not an option at this site.  And of course the people who are most effected are always senior management - you know, the decision makers.

We really need a viable option for this.



LukeQuake -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (1.Apr.2008 4:27:16 AM)

Exactly the same problem here as well...

I've sent an email to GFI Support this morning but all I've been told previous is that 'dealing with backscatter is on the list of improvments for GFI'....




andih98uk -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (1.Apr.2008 4:50:23 AM)

I've been having this problem as well but doing all the improvements here it's pretty much come under control apart from a few.

Another thing to check is go into your whitelist and check there are no entried with @yourdomain.com in as these will bypass the keyword check.

If you need to search, copy the config.mdb from the program files\gfi\mailessentials directory and edit in access.

i found quite a few of my user accounts in there.



andreasoc -> RE: Flood of "System Administrator" Undeliverable SPAM, please help (1.Apr.2008 5:30:40 AM)

quote:

ORIGINAL: Nicks

Hi Matthew,

By default, GFI MailEssentials does not scan Delivery Status Notifications (DSN) messages, which include NDRs. This knowledgebase article explains how to enable this functionality in GFI MailEssenitals.

http://kbase.gfi.com/showarticle.asp?id=KBID003322

Let us know how it goes.

thanks



Page: [1] 2 3 4 5   next >   >>