RE: Queues

  • From: "Nef Perez" <nperez@xxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 1 Sep 2004 15:45:14 -0400

Chris -
I think you're right on the money. When I go to the badmail directory on
my Exchange server, I have thousands of badmail and when I view them
they are addressed to unknown users. The emails are small in size.

How do I prevent this? Is it as simple as installing a spam guard
software? What was the "long" post titled, so I can research it?

Here's a sample (sorry - it's kinda long):

From: postmaster@xxxxxxxxxxxxxxx
To: midwwnwvmMZS@xxxxxxxxxxxxxxxxxxx
Date: Wed, 1 Sep 2004 14:04:58 -0400
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="9B095B5ADSN=_01C479D5F958DF040005FF75athena.idtmarket"
X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
Message-ID: <0KeMTJ4V100010373@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Delivery Status Notification (Failure)

This is a MIME-formatted message.  
Portions of this message may be unreadable without a MIME-capable mail
program.

--9B095B5ADSN=_01C479D5F958DF040005FF75athena.idtmarket
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       clyde@xxxxxxxxxxxxxxxx




--9B095B5ADSN=_01C479D5F958DF040005FF75athena.idtmarket
Content-Type: message/delivery-status

Reporting-MTA: dns;athena.idtmarketing.com
Received-From-MTA: dns;h11.106.102.166.ip.alltel.net
Arrival-Date: Wed, 1 Sep 2004 14:04:51 -0400

Final-Recipient: rfc822;clyde@xxxxxxxxxxxxxxxx
Action: failed
Status: 5.1.1

--9B095B5ADSN=_01C479D5F958DF040005FF75athena.idtmarket
Content-Type: message/rfc822

Received: from h11.106.102.166.ip.alltel.net ([166.102.106.11]
unverified) by athena.idtmarketing.com with Microsoft
SMTPSVC(5.0.2195.6713);
         Wed, 1 Sep 2004 14:04:51 -0400
X-Message-Info: POmbPD785pnmLDVpkeOMf751WMLg105+RTtc45yfOGW
Received: from qyhawqhz335.attitude.com ([102.67.30.192]) by
m4-nk406.attitude.com with Microsoft SMTPSVC(5.0.2195.6824);
         Thu, 02 Sep 2004 00:56:39 +0600
Received: from Ashleeq63a24e93j ([185.231.65.161]) by
jxhpbhla24.attitude.com
          (InterMail vM.5.01.06.05 297-510-399-355-273-588635077) with
SMTP
          id
<134819740519396.BNJBV85.khatii792.attitude.com@divestiturege5j267abr0uq
>
          for <clyde@xxxxxxxxxxxxxxxx>; Wed, 01 Sep 2004 23:52:39 +0500
Message-ID: <050ngd4rfj4398$0256461$u35fsi8@Ashleevag69rz1a18m>
From: "Cornelia Hargrove" <midwwnwvmMZS@xxxxxxxxxxxxxxxxxxx>
To: <clyde@xxxxxxxxxxxxxxxx>
Subject: Buy Hydrocodone online, free overnight shipping
Date: Wed, 01 Sep 2004 13:53:39 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--5618441267460908158"
Return-Path: midwwnwvmMZS@xxxxxxxxxxxxxxxxxxx
X-OriginalArrivalTime: 01 Sep 2004 18:04:55.0154 (UTC)
FILETIME=[2F793D20:01C4904E]

----5618441267460908158
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit

<html>
<body>
<p align="center">
Hello  Clyde   ( Wed, 01 Sep 2004 11:53:39 -0700 )<br><br>

Are you tried of being ri<font style="FONT-SIZE: 1px">a</font>pped off
by overpr<font style="FONT-SIZE: 1px">s</font>iced Meds ?<br>
<br> Is healing your pain hurting your budget ?<br>
<br>We at Dis<font style="FONT-SIZE: 1px">f2</font>count Meds have found
a solution for you<br>
<br> sa<font style="FONT-SIZE: 1px">f</font>ve 70<font style="FONT-SIZE:
1px">g</font>%+ on all your popular meds
<aref="http://qasmbqtheoqthylgqmfl.Clyde.basicrxmeds.com/?wid=100075";>Vi
<font style="FONT-SIZE: 1px">k</font>sit si<font style="FONT-SIZE:
1px">m</font>te now</a> to sta<font style="FONT-SIZE: 1px">f</font>rt
sa<font style="FONT-SIZE: 1px">l</font>ving!

</body>
</html>

----5618441267460908158---
--9B095B5ADSN=_01C479D5F958DF040005FF75athena.idtmarket--


 


-----Original Message-----
From: Chris Wall [mailto:Chris.Wall@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, September 01, 2004 3:10 PM
To: [ExchangeList]
Subject: [exchangelist] Re: Queues

http://www.MSExchange.org/

Or spam could be coming in to your domain that is addressed to
non-existant
accounts and your exchange server is trying to send an NDR.  Of course
the
address your server is trying to send mail to is a 'spoofed' address and
is
not real.  So you must wait for the message to time out and be deleted
from
the queue....

Are all the messages similar in size?  (if so this is a good indicator
that
they are NDR's)
Can you open any of the messages to see the text?  If so, give us a
sample...

As far as stopping it, there was just a long post in this group (just
yesterday I believe) about this very issue...

Chris 

-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx] 
Sent: Wednesday, September 01, 2004 3:00 PM
To: [ExchangeList]
Subject: [exchangelist] Re: Queues

http://www.MSExchange.org/

On Wed, 1 Sep 2004 13:44:17 -0600, NPerez <nperez@xxxxxxxxxxxxxxx>
wrote:
> http://www.MSExchange.org/
> 
> Windows 2k & Exchange 2k
> I was looking through my queues folder under my SMTP folder in my 
> Exchange admin, and I found many domains that I do not recognized 
> (like yeehaww.au, haang.de, and a bunch of others). I don't think my 
> users are sending emails to these domains. How do they get there and
how
can I prevent it?

Your configuration has one or a combination of one of the following
problems:

A) Your server is an open relay.
*http://www.msexchange.org/tutorials/MF005.html
*Search for how to close open relay in Exchange on the Internet.

B) A network device, probably a computer part of your LAN, has become
infected with a virus and is relaying through the Exchange Server.
*Run up to date AV software on all network connected devices.

C) Your server is infected with a virus.
*Do you run and scan your server with up-to-date AV software?

D) Your users are sending out SPAM on purpose. :) *Highly unlikely, but
anything is possible.

Hope this helps.

...D

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
Chris.Wall@xxxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
nperez@xxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx


Other related posts: