It also works in reverse: 1) spammer sends messages to users in your org from "[EMAIL PROTECTED]", which doesn't exist. 2) many many many recipients in your domain do not exist. 3) Your mail system spends the next three days trying to send the NDR bounce to the perceived sender "[EMAIL PROTECTED]" 4) ??? 5) profit!
-----Original Message----- From: Erik Sojka [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 6:52 AM To: Exchange Discussions Subject: RE: TONS of NDR's You may be relay free (i.e. a spammer is *not* using your servers as a relay) but said scumbag is using one of your addresses as a forged "From:" address. 1) spammer sends out messages appearing to come from "[EMAIL PROTECTED]" 2) many many many recipients do not exist 3) receiving mail systems send the NDR bounce to the perceived sender "[EMAIL PROTECTED]" 4) ??? 5) profit! > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 9:47 AM > To: Exchange Discussions > Subject: TONS of NDR's > > > Exch5.5 sp4 on win2k sp4 > > > I have no idea where they are all comming from. Every > morning I come in and > the que is stacked with 24,000+ NDR messages, they look like spam but > abuse.net spamcop, openrbl, and ordb all say I am relay free, > IT policy > forces strong passwords and guest is disabled. I'm at a loss > where these > messages are comming from, but they look like they are relaying. > > Reading the open relay/spamcop thread I wonder if someone got > compromised, > is there a logging setting that will tell me what user > accounts are being > used to auth against? Or does anyone know what events those > would be logged > as? Any help is always greatly appreciated. > > > e- > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
