Home > IT Answers > Exchange > Exchange 2003 Undelivered report (spam)
Help

Question

  Asked: Mar 16 2008   11:03 AM GMT
  Asked by: Atabani

Exchange 2003 Undelivered report (spam)


Exchange 2003, Spam

Every now and then some of my users complain that they have received an Undelivered email report from the administrator, to an email that they have not sent. I have checked the email's content and traced the message on the server but I cannot find out a clear justification of how they received the message, the message is as follows:



 Your message did not reach some or all of the intended recipients.
 
       Subject:	RE: MensHealth id 104964
       Sent:	3/14/2008 9:49 PM
 
 The following recipient(s) cannot be reached:
 
       akhorchid@kacecuae.com on 3/14/2008 9:49 PM
             The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
             <kauae6.kadomain.com #5.1.1>


I have checked the domain and it is not registered.

Is there a way I can stop this type of spam? is IMF the answer, and how? Is there a setting in Exchange 2003 to validate the originator of the message? Is there a log file in exchange that can provide me with more information on a specific message, such as IP of sender etc …

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
-1
Click to Vote:
  •   0
  •  -1
Last Answered: Apr 27 2008  5:14 AM GMT  by LVK


Latest Contributors: Wrobinson


This is a message that is generated by the receiving end. There is no practical way for you to control it because it in and of itself is not considered spam/UCE, though it is a common side effect. Think about it for a moment. Even if you configured an e-mail screening solution, how would you differentiate between legitimate and false NDRs?

--------------------------------------------------
That is because you do not apply SPF to your domain (www.openspf.org).
Spammers may use your domain to send mail to the Internet and the receiver did not find that email on the SMTP server. The way to validate sender is called "Challenge Response".
The Challenge Response system requires senders from external domains to authorize their email address for future communication with your mail server. External senders will only be challenged once.
You have to apply SPF to fix this problem. Contact your hostmaster.

LVK
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Exchange.

Looking for relevant Exchange Whitepapers? Visit the SearchExchange.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Atabani  |   Mar 18 2008  6:06AM GMT

that’s what I thought about at the beginning, but then I thought that it can be a fake NDR email, such as the case below:

Limit the number of outbound non-delivery reports ( NDRs) your server is permitted to send in a given period: This will reduce your exposure to a reverse NDR spam attack. While fake NDR messages are sometimes sent by spammers, limiting the rate of outbound NDRs will not stop them. To clarify, there are two kinds of NDR spam: faked NDR messages are sent directly to a recipient, while reverse NDR messages are "bounced" off a server in response to a spoofed message "from" the intended recipient. The latter type of NDR works like this: Jack Spamking wants to send spam to Susan User. To do this, he crafts his spam message so it appears to come from Susan and sends it to an invalid e-mail address he knows does not exist at a third party's mail server. The message is then "returned" to the apparent sender -- Susan -- in the form of an NDR. Susan then sees the legitimate NDR, wonders why a message she sent did not arrive, and opens the message. This closes the delivery loop as Susan sees the spam message sent by Jack. The Tek-Tips Web site has an article called "story" about combating NDR attacks.

 

Atabani  |   Mar 18 2008  6:37AM GMT

I do not think that our server is generating the NDRs because the output queue is quite secure and normal traffic, hence I am suspecting that these are spam NDRs.