Mail getting through addressed to bogus recipients

[WiredOnCoffee]

We're having some trouble since we got on a DirecWay satellite conection. Emails to bogus mailboxes (ex. MailBox@ourdomain.com) are coming into legimimate mailboxes. Here's a header below :

Microsoft Mail Internet Headers Version 2.0
Received: from ocelq.edu ([216.210.203.98]) by ourdomain.com with Microsoft SMTPSVC(6.0.3790.211);
Tue, 3 May 2005 21:30:01 -0700
From: postmaster@dri.edu
To: MailBox@ourdomain.com
Date: Wed, 04 May 2005 04:08:25 UTC
Subject: Registration Confirmation
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <fc82f.1c17a1cba77db@dri.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="====6ad5aadabb669cfb.b26d6ea9"
Content-Transfer-Encoding: 7bit
Return-Path: postmaster@dri.edu
X-OriginalArrivalTime: 04 May 2005 04:30:01.0171 (UTC) FILETIME=[EF984230:01C55061


This mail message ends up being delivered to a legimate mailbox. We get about 30 of these a day, with the number slowly increasing.


Here's a sample from the SMTP log around this time:

2005-05-04 04:14:01 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 HELO - +lmtffkpm.net 250 0 38 17 0 SMTP - - - -
2005-05-04 04:14:03 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 MAIL - +FROM:+<postmaster@earthlink.net> 250 0 49 37 0 SMTP - - - -
2005-05-04 04:14:05 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 RCPT - +TO:+<VIBANK.COMSMTPClarkN@ourdomain.com> 250 0 45 43 0 SMTP - - - -
2005-05-04 04:14:08 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 RCPT - +TO:+<SMTPchrisdavis@ourdomain.com> 250 0 39 37 0 SMTP - - - -
2005-05-04 04:14:09 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 RCPT - +TO:+<AOL.COMSMTPTDarceyWMF@ourdomain.com> 250 0 46 44 0 SMTP - - - -
2005-05-04 04:14:12 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 RCPT - +TO:+<Groupbnmccarthy@ourdomain.com> 250 0 40 38 0 SMTP - - - -
2005-05-04 04:14:13 148.63.4.187 lmtffkpm.net SMTPSVC1 SERVER 192.168.0.99 0 RCPT - +TO:+<darkn@ourdomain.com> 250 0 30 28 0 SMTP - - - -


You can see it's addresses to bogus addresses, but they are slipping through. I'm sure I could block the IPs that this mail is coming from, but I'm wondering how they're slipping through.


My STMP settings are as follows :
Exchange 2003 (SBS)
Under the Access Tab, Authentication I have :
Anonymous access checked
Basic Authentication checked
Integrated Windows Authentication checked

Under the Relay button, I have:
Only listed below selected and
The IP of our mail server (192.168.0.x address)
and the loopback (127.0.0.1).
Also the box for "Allow all computers which successfully authenticate to relay, regardless..."

I'm sure I have something misconfigured, just not sure what.


Thanks!!!

 

[nsanto17]

Check all of your clients for virus's.

Try to block all connections from 148.63.4.187 (unless thats your IP)

 

[PScottC]

More than likely, the valid mailbox the mail is being delivered to is a BCC address. So you wouldn't see it in the header. The TO address wouldn't matter in this case.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[ymeq123]

I tend to agree with PSC. I get some of these also.

 

[WiredOnCoffee]

That makes sense...when I go to Tools > Message tracking center, it shows the messages are being somehow addressed to the two valid recipient mailboxes.

Any idea why spammers and virus senders would do this?

 

[PScottC]

Can't say that I can think of a justification, it's just the behavior that I've observed. More than likely, they're trying to slide under anti-spam applications.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[markdmac]

Are you running IMF? I find it will greatly cut down on such traffic.

I hope you find this post helpful.

Regards,

Mark

 

[WiredOnCoffee]

Thanks for the help...I think I might try IMF out.