Exchange 2003 Undelivered report (spam)

95 pts.
Microsoft Exchange 2003
Every now and then some of my users complain that they have received an Undelivered email report from the administrator, to an email that they have not sent. I have checked the email's content and traced the message on the server but I cannot find out a clear justification of how they received the message, the message is as follows:
Your message did not reach some or all of the intended recipients.

      Subject:	RE: MensHealth id 104964
      Sent:	3/14/2008 9:49 PM

The following recipient(s) cannot be reached: on 3/14/2008 9:49 PM
            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
            < #5.1.1>
I have checked the domain and it is not registered. Is there a way I can stop this type of spam? is IMF the answer, and how? Is there a setting in Exchange 2003 to validate the originator of the message? Is there a log file in exchange that can provide me with more information on a specific message, such as IP of sender etc …

Answer Wiki

Thanks. We'll let you know when a new response is added.

This is a message that is generated by the receiving end. There is no practical way for you to control it because it in and of itself is not considered spam/UCE, though it is a common side effect. Think about it for a moment. Even if you configured an e-mail screening solution, how would you differentiate between legitimate and false NDRs?

That is because you do not apply SPF to your domain (
Spammers may use your domain to send mail to the Internet and the receiver did not find that email on the SMTP server. The way to validate sender is called “Challenge Response”.
The Challenge Response system requires senders from external domains to authorize their email address for future communication with your mail server. External senders will only be challenged once.
You have to apply SPF to fix this problem. Contact your hostmaster.


Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Atabani
    that’s what I thought about at the beginning, but then I thought that it can be a fake NDR email, such as the case below:
    Limit the number of outbound non-delivery reports ( NDRs) your server is permitted to send in a given period: This will reduce your exposure to a reverse NDR spam attack. While fake NDR messages are sometimes sent by spammers, limiting the rate of outbound NDRs will not stop them. To clarify, there are two kinds of NDR spam: faked NDR messages are sent directly to a recipient, while reverse NDR messages are "bounced" off a server in response to a spoofed message "from" the intended recipient. The latter type of NDR works like this: Jack Spamking wants to send spam to Susan User. To do this, he crafts his spam message so it appears to come from Susan and sends it to an invalid e-mail address he knows does not exist at a third party's mail server. The message is then "returned" to the apparent sender -- Susan -- in the form of an NDR. Susan then sees the legitimate NDR, wonders why a message she sent did not arrive, and opens the message. This closes the delivery loop as Susan sees the spam message sent by Jack. The Tek-Tips Web site has an article called "story" about combating NDR attacks. 
    95 pointsBadges:
  • Atabani
    I do not think that our server is generating the NDRs because the output queue is quite secure and normal traffic, hence I am suspecting that these are spam NDRs.
    95 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: