jlnewmark |
For more than a few years now, spam and viruses have been spoofing usernames to hide their tracks. The virus is almost certainly not on your user’s computer. However, their name is in the address book of a computer that DOES have a virus. That virus randomly selects people out of the address book as the “sender,” when it mails itself out — obviously, if you knew who the REAL sender was, you’d let them know they have a virus and they could do something about it.
If the problem is a spammer (you can usually tell from the content of the message), then that spammer is basically doing the same thing as a virus, except that he’s bought a mailing list and your user is on it. Your user can get on any number of mailing lists in very innocuous ways: they had to register on a news site (NY Times, Wash Post, Wall St. Journal, LA Times all require registration just to read articles, for instance), or even with a business group or Chamber of Commerce. These companies all promise that they will only share your information with their “authorized business partners.” Unfortunately, these business partners can ALSO share with THEIR business partners, and somewhere down the line, “business partner” becomes “whoever will pay me for the list.”
In both cases, the previous responder does have the bottom line — you really can’t stop these delivery failures for bogus emails without stopping delivery failures for ALL emails. Not a good idea.
The one ray of light is that these things don’t usually last more than a few days to a couple weeks at most. Then the virus is caught or goes inactive, or the spammer moves on to the next set of names on his list….
bobkberg |
jlnewmark is pretty much on the button - I can’t add anything to what he’s said as far as describing the problem.
However, as for people who use your own email address against you… There is also graylisting - which can use the sending IP address of the message (which cannot be spoofed).
The idea behind graylisting is that much (sadly not all though) spam is sent as a one-time “broadcast”, whereas legitimate senders will retry to send after some period of time.
Another tactic is to make use of a blacklisting service (there are several) who try to keep up with the never-ending new sources of spam, and reject all email coming from them.
If you’re also willing to take the risk of blocking possible legitimate traffic, I’ve compiled a list of address blocks which are known to be in Asia, Europe, South America. Not a sure-fire thing either since the list is NOT comprehensive, but these can be filtered at your border router. Nothing secret about the addresses - it’s all public information (www.iana.org), but there’s another route for you.
Bob
ericcomputer |
Another possibility to avoid this (and other “spoofing” problems) is to set your mail server to do a Reverse-DNS check (RDNS) before accepting any inbound mail. Basically what this does is it checks the IP address that the message originated from using RDNS to see if it matches the “from” address (domain) of the sender (let’s say for example the message has a “from” address of: <a href="mailto:user@company.com)">user@company.com)</a>, and then your mail server will compare the result of the RDNS check (a domain name) to see if there is a match. If that IP address matches the IP address that the message came from (in the message headers), then the message will be accepted. If it does not match, it will be rejected, sometimes even without a non-delivery response.
The problem with a lot of RDNS checking logic is that many companies (and ISP’s) either do not have RDNS set up at all, or the RDNS address reports with the ISP’s domain name, not the company that is utilizing that IP; Therefore, legitimate mail could easily be rejected without notice.
Microsoft Exchange has such a feature buried within the SMTP Virtual Server (or SMTP connector if you’re using one) settings.
Yet another method for checking and protecting against mail spoofing (or at least having YOUR domain spoofed) is to add an SPF (Sender Policy Framework) record to the zone file of your domain (usually done at the ISP level). You can read more about SPF records here:
<a href="http://www.openspf.org/Introduction" rel="nofollow">http://www.openspf.org/Introduction</a>
It is surprising how few domains have an SPF record defined…
Good luck,
–Eric
jlnewmark |
The only problem with a reverse DNS check is that the domain from which the Delivery Failure is coming is almost certainly legitimate and “Mailer Daemon” or “System Administrator” from that domain is going to be a good address. Unless your reverse DNS will check back through all the steps to the origination of the message, at which point you will finally see the mismatch, I’m not sure this will help against delivery failures. It will certainly help against other spoofed emails.
TedRizzi |
This is a very common issue, some one’s computer, is infected with a virus and is sending out spam spoofing the senders email address with your users email address’s it could even be one of your users home computers or a business contact.
The cure is simple.. show your users where the delete key is on the keyboard.
there is no way to prevent this from happening. if you have email content filtering software you can create a filter to block it. other than that not much you can do.
Exchange, Spam, TrendMicro, Exchange security, OS, Servers, SQL Server, Security, Desktops, Management, Microsoft Windows
Hi Everyone, one of our users keeps getting undeliverable email messages. It looks like someone out there is sending mail and making it look like it is coming from him. Is there anyway to stop this? We are running Exchange 2007. I don't think it is relaying or a virus. It does this even when his pc is off. 
0
