Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange Message Routing - How Did This Happen?

Status
Not open for further replies.

dfrazell

IS-IT--Management
May 26, 2005
65
US
Two users received the same email that wasn't addressed to them directly. It was addressed to user3@companyname.com who is no longer with the company and their user account has been deleted (as far as know.)

I reviewed the message header and it was addressed to user3@companyname.com. No where in the header did user1@companyname.com or user2@companyname.com appear in the header.
I did a search in the Message Tracking Center in the Exchange System Manager and it shows the message being delivered to user1@companyname.com and user2@companyname.com but I can't tell how or where it got these addresses.

Thanks!
How did this happen? How can I track down the routing in Exchange?

 
I would make sure that the user is not in someone's personal contact list. I have seen this before. Just because they are removed from Active Directory, that doesn't mean they still can't be in a personal distribution list or contacts...
 
Is there any way to search for the email address user3@companyname.com on the Exchange side or do a deeper trace on an e-mail the came into Exchange to determine how it was routed to user1@companyname.com and user2@companyname.com?
 
it won't shop up in the trace logs if it were sent from someone's outlook..you could also post the header of the email and I can take a look.
 
The email came from an external source.
Message History (from Exchange):
Code:
7/15/2009 9:38 AM   SMTP: Message Submitted to Advanced Queuing
7/15/2009 9:38 AM   SMTP: Started Message Submission to Advanced Queue
7/15/2009 9:38 AM   SMTP: Message Submitted to Categorizer
7/15/2009 9:38 AM   SMTP: Message Categorized and Queued for Routing
7/15/2009 9:38 AM   SMTP: Message Categorized and Queued for Routing
7/15/2009 9:38 AM   SMTP: Non-Delivered Report (NDR) Generated
7/15/2009 9:38 AM   SMTP: Message Queued for Local Delivery
7/15/2009 9:38 AM   SMTP: Message Delivered Locally to multiple recipients
7/15/2009 9:38 AM   SMTP: Message Routed and Queued for Remote Delivery
7/15/2009 9:38 AM   SMTP: Started Outbound Transfer of Message
7/15/2009 9:38 AM   Message transferred to den.emllc.loc through SMTP
7/15/2009 9:38 AM   SMTP Store Driver: Message Delivered Locally to Store to user1@companyname.com
7/15/2009 9:38 AM   SMTP Store Driver: Message Delivered Locally to Store to user2@companyname.com
Message Header:
Code:
Microsoft Mail Internet Headers Version 2.0
Received: from p01c11m083.mxlogic.net ([208.65.144.247]) by pikes.emllc.loc with Microsoft SMTPSVC(6.0.3790.1830);
	 Wed, 15 Jul 2009 09:38:32 -0600
Received: from unknown [201.228.208.119] (EHLO BNQQQEY)
	by p01c11m083.mxlogic.net (mxl_mta-6.2.0-4)
	with ESMTP id ad7fd5a4.3038743440.134882.00-155.p01c11m083.mxlogic.net (envelope-from <interbreedev95@iqea.com>);
	Wed, 15 Jul 2009 09:38:03 -0600 (MDT)
Date: Wed, 15 Jul 2009 10:37:57 -0500
From: user3@companyname.com
Subject: Try it and not regret it
To: <user3@companyname.com>
Message-ID: <000d01ca0562$3a73c540$6400a8c0@interbreedev95>
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
Content-type: text/plain; format=flowed; charset="utf-8"; reply-type=original
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal
X-Spam: [F=0.5039423910; B=0.500(0); CM=0.500; MH=0.500(2009071521); R=0.600(10961573616); S=0.403(2009070901); SC=none]
X-MAIL-FROM: <interbreedev95@iqea.com>
X-SOURCE-IP: [201.228.208.119]
X-AnalysisOut: [v=1.0 c=1 a=OUpFcP/tKEusSaPKJGABcw==:17 a=S0HCIMMHAAAA:8 a]
X-AnalysisOut: [=vWNZ3zovvExVJlMn_rYA:9 a=v_YOqhMHxGx0KsjSWtwnJlG2c-QA:4]
Return-Path: interbreedev95@iqea.com
X-OriginalArrivalTime: 15 Jul 2009 15:38:32.0946 (UTC) FILETIME=[4F562520:01CA0562]
 
Looks like its address to User3 - its probably a spoof email - spam - makes it look like it came from someone else other than the real person.
 
I'd agree its a spoofed e-mail. I just can't figure out how it got routed to user1@companyname.com and user2@companyname.com.
 
I have seen spammers able to blast out an email to 1000's of random names to certain companies...That is what a SPF record comes in handy...
 
What is a SPF record and how would that help?
 
Block list config would help better. The message came through a cloud hygiene service (Postini), which can complicate SenderID and SPF solutions.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Do either user1 or user2 have user3's email alias setup on the email tab of their userID?

 
No - user3's e-mail address doesn't appear in anyone's Exchange E-mail addresses list. I tried adding user3's email address to a user profile and it let me. Since Exchange won't let you add a duplicate e-mail address that already exists in someones address list, it would seem that the e-mail wasn't routed based on this feature.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top