Receiving undeliverable email we did not send

pts.
Tags:
Exchange security
Management
Microsoft Exchange
Microsoft Windows
OS
Security
Servers
Spam
SQL Server
TrendMicro
Hi everyone,

One of our users keeps getting undeliverable email messages. It looks like someone out there is sending mail and making it look like it is coming from him. Is there anyway to stop this? We are running Exchange 2007. I don't think it is relaying or a virus. It does this even when his PC is off. Thanks for your responses!

Answer Wiki

Thanks. We'll let you know when a new response is added.

Spammers use your eMail return address to keep themselves from getting blocked. There is nothing you can do about this, unless someone figures out a way to handle the problem network-wide.

Bob here – This is also a technique used to spread viruses and spam in general. The fact that your email address gets used means that the infected machine belongs to <i>someone</i> who has emailed you at some time – and has your address in their list.

————————-
See this similar question and answers.

=======================================================================
This is not necessarily a virus infection. It is called mail “Spoofing”. The message appears to be sent by a user. The Spammers use a combination of characters and sends messages out “as a User”. Unless there is an SMTP authentication security in place you cannot do anything about it.

– Symyuser

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Jlnewmark
    For more than a few years now, spam and viruses have been spoofing usernames to hide their tracks. The virus is almost certainly not on your user's computer. However, their name is in the address book of a computer that DOES have a virus. That virus randomly selects people out of the address book as the "sender," when it mails itself out -- obviously, if you knew who the REAL sender was, you'd let them know they have a virus and they could do something about it. If the problem is a spammer (you can usually tell from the content of the message), then that spammer is basically doing the same thing as a virus, except that he's bought a mailing list and your user is on it. Your user can get on any number of mailing lists in very innocuous ways: they had to register on a news site (NY Times, Wash Post, Wall St. Journal, LA Times all require registration just to read articles, for instance), or even with a business group or Chamber of Commerce. These companies all promise that they will only share your information with their "authorized business partners." Unfortunately, these business partners can ALSO share with THEIR business partners, and somewhere down the line, "business partner" becomes "whoever will pay me for the list." In both cases, the previous responder does have the bottom line -- you really can't stop these delivery failures for bogus emails without stopping delivery failures for ALL emails. Not a good idea. The one ray of light is that these things don't usually last more than a few days to a couple weeks at most. Then the virus is caught or goes inactive, or the spammer moves on to the next set of names on his list....
    0 pointsBadges:
    report
  • Bobkberg
    jlnewmark is pretty much on the button - I can't add anything to what he's said as far as describing the problem. However, as for people who use your own email address against you... There is also graylisting - which can use the sending IP address of the message (which cannot be spoofed). The idea behind graylisting is that much (sadly not all though) spam is sent as a one-time "broadcast", whereas legitimate senders will retry to send after some period of time. Another tactic is to make use of a blacklisting service (there are several) who try to keep up with the never-ending new sources of spam, and reject all email coming from them. If you're also willing to take the risk of blocking possible legitimate traffic, I've compiled a list of address blocks which are known to be in Asia, Europe, South America. Not a sure-fire thing either since the list is NOT comprehensive, but these can be filtered at your border router. Nothing secret about the addresses - it's all public information (www.iana.org), but there's another route for you. Bob
    1,070 pointsBadges:
    report
  • Ericcomputer
    Another possibility to avoid this (and other "spoofing" problems) is to set your mail server to do a Reverse-DNS check (RDNS) before accepting any inbound mail. Basically what this does is it checks the IP address that the message originated from using RDNS to see if it matches the "from" address (domain) of the sender (let's say for example the message has a "from" address of: user@company.com), and then your mail server will compare the result of the RDNS check (a domain name) to see if there is a match. If that IP address matches the IP address that the message came from (in the message headers), then the message will be accepted. If it does not match, it will be rejected, sometimes even without a non-delivery response. The problem with a lot of RDNS checking logic is that many companies (and ISP's) either do not have RDNS set up at all, or the RDNS address reports with the ISP's domain name, not the company that is utilizing that IP; Therefore, legitimate mail could easily be rejected without notice. Microsoft Exchange has such a feature buried within the SMTP Virtual Server (or SMTP connector if you're using one) settings. Yet another method for checking and protecting against mail spoofing (or at least having YOUR domain spoofed) is to add an SPF (Sender Policy Framework) record to the zone file of your domain (usually done at the ISP level). You can read more about SPF records here: http://www.openspf.org/Introduction It is surprising how few domains have an SPF record defined... Good luck, --Eric
    0 pointsBadges:
    report
  • Jlnewmark
    The only problem with a reverse DNS check is that the domain from which the Delivery Failure is coming is almost certainly legitimate and "Mailer Daemon" or "System Administrator" from that domain is going to be a good address. Unless your reverse DNS will check back through all the steps to the origination of the message, at which point you will finally see the mismatch, I'm not sure this will help against delivery failures. It will certainly help against other spoofed emails.
    0 pointsBadges:
    report
  • TedRizzi
    This is a very common issue, some one's computer, is infected with a virus and is sending out spam spoofing the senders email address with your users email address's it could even be one of your users home computers or a business contact. The cure is simple.. show your users where the delete key is on the keyboard. there is no way to prevent this from happening. if you have email content filtering software you can create a filter to block it. other than that not much you can do.
    0 pointsBadges:
    report
  • No1pole
    I keep getting returned e-mail I did not send it is not deliverable. some are even in a foreign language. is this a virus?
    10 pointsBadges:
    report
  • Firechief69
    how do i stop my yahoo email , sending out emails from my address book  please tell my step by step most of my friend has the bug that my pc gave them   Help PLease i have no body to go to for HELP  thanks .  Alex
    10 pointsBadges:
    report
  • MelanieYarbrough
    Hi Firechief69, Please create a new thread for your question to ensure it gets answered by the community. Be sure to include the details necessary to help resolve your problem. Thanks, Melanie
    6,345 pointsBadges:
    report
  • Mimisina
    received notice of undeliverable emails that I did not send. How can I trace source? How can I put a stop to this?
    10 pointsBadges:
    report
  • MelanieYarbrough
    Hi Mimisina, Please begin a new thread for your question. Include as many details as possible, including what email service you’re using and the message being sent, if possible. Thanks! Melanie
    6,345 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following