Exchange Queue Full of Unknown Emails .....

[AnthonyCasta]

I would only assume that this is related to the continued problem that I've been having ...

Over the weekend, I had received about 68 NDR reports for emails that were not orgniated by anyone in my company. As I looked into them they are all written in chineese. Here is some information from the queue at the server:


Sent from: =?Big5?B?sU23fsO4uc8=?= <I68cNR736V9@yahoo.com>
Subject=?Big5?B?sU23frlxuKOx0L7HLLFNt37DuLnPs27F6SzAs6azusmmsw==?=

Reccipeients:
Envelope Recipients:
SMTP:xsh662@yahoo.com.tw;

Currently I have disabled all connectors to stop any outgoing mail... Can anyone help me out here, I am really lost now!!

Thx ... Tony

 

[lhuegele]

Set your Exchange server so that it does NOT generate/deliver NDR's.

 

[AnthonyCasta]

I could do that, however, it wouldn't fix the problem of being spoofed and or hacked .. Right?

 

[Davetoo]

You can't "fix" being spoofed...it happens. If you don't send NDR's out, then you're queue's won't get fille dwith them (although 68 doesn't quantify "filled").

Do you feel your server is being hacked? If so, why?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[lhuegele]

Spoofing of FROM addresses is a fact of life now. We, as administrators, have no control over what OTHERS do, so you can't "fix" it. All you can do is minimize the impact it has to you and your organization. Being spoofed doesn't imply that you've been "hacked". We all get spoofed.

Preventing NDR's from being generated will ease the burdon on your server, and is a good "best practice" in this day and age. We turned off NDR's years ago with no ill effect on the business.

Good luck.

 

[AnthonyCasta]

I think I'm getting spoffed or hacked becuase, the outgoing mail to all of these domains are comming from my server ...

There are also messages in my tracking center that specify email address that don't exist in my company. (i.e.: xchgung@mail.mydomain.com)

My email address don't end with @mail.mydomain, however, my email server is named mail.

These messages appear to be in chineese, What I am worried about is getting on some of the blacklists! ...

When I can catch these email queues I am freezing them.

 

[lhuegele]

More than likely those are NDR's that your server is trying to send back to spoofed addresses or domains. I'm 90% certain at this point that if you prevent your server from creating NDR's you will not see these in your queue.

Please provide more information on your last post - like when you state "there are also messages in my tracking center that specify email addresses that don't exist in my company" are you talking about the FROM email addresses or the TO email addresses?

When you have NDR's turned on, you are just providing a tool for the spammers to try and guess a real email address within your company. Eventually they will get lucky and stumble upon a real email address, so please, turn off the NDR's now and safe yourself from even more headaches down the road. Once the spammers realize that you're not delivering NDR's to them anymore, they will slowly go away and find another victim to harrass.

Good luck,

 

[AnthonyCasta]

Great point on those NDR reports! ... However this problem is further along then that ...

I have messages in my tracking center that appear to orginate from my company, but are not ...

This email address is in the from colum:
zhnuci@mail.mydomain.com

Email address don't end with @mail.mydomain, they end with @mydomain. However, my server is named MAIL ..

 

[lhuegele]

I think you are just getting caught up in what the "from" addresses are. That is no indication of where the messages are actually being generated. Only the headers (or lack there of) would be a good indication of where they are actually being generated from.

If you have an MX record in dns for "mail" under "mydomain.com" then anything addressed to "user@mail.mydomain.com" will still reach you.

Seriously, turn off the NDR's and see if those messages in your queue go away. If they do not, then at least you have narrowed things down.

 

[xmsre]

It's spam, Chinese spam. Big5 is the Chinese Traditional character set. Quit sending the NDRs any they'll eventually stop.

 

[TheSmooth]

I'm getting the same problem and I do not have NDRs enabled. Anyone know that the heck this is?

 

[TheSmooth]

I figured it out. It seems that someone in China is flooding email servers with spam coming from ip address 60.170.186.10 and several others in that range. I had to block the ip addresses at the firewall to prevent further attacks on my mail server. now I have about 40,000 junk emails stuck in the queue. All you have to do is monitor the smtp connector to see where the mail is coming from. I'm willing to bet that you are under the same attack.

All is well now,