I just have to say...the "Underpants Gnomes" reference is strong. Nice.
> It also works in reverse: > > 1) spammer sends messages to users in your org from > "[EMAIL PROTECTED]", which doesn't exist. > 2) many many many recipients in your domain do not exist. > 3) Your mail system spends the next three days trying to send the NDR bounce > to the perceived sender "[EMAIL PROTECTED]" > 4) ??? > 5) profit! > > -----Original Message----- > From: Erik Sojka [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 6:52 AM > To: Exchange Discussions > Subject: RE: TONS of NDR's > > > You may be relay free (i.e. a spammer is *not* using your servers as a > relay) > but said scumbag is using one of your addresses as a forged "From:" address. > > > 1) spammer sends out messages appearing to come from "[EMAIL PROTECTED]" > 2) many many many recipients do not exist > 3) receiving mail systems send the NDR bounce to the perceived sender > "[EMAIL PROTECTED]" > 4) ??? > 5) profit! > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 19, 2003 9:47 AM > > To: Exchange Discussions > > Subject: TONS of NDR's > > > > > > Exch5.5 sp4 on win2k sp4 > > > > > > I have no idea where they are all comming from. Every > > morning I come in and > > the que is stacked with 24,000+ NDR messages, they look like spam but > > abuse.net spamcop, openrbl, and ordb all say I am relay free, > > IT policy > > forces strong passwords and guest is disabled. I'm at a loss > > where these > > messages are comming from, but they look like they are relaying. > > > > Reading the open relay/spamcop thread I wonder if someone got > > compromised, > > is there a logging setting that will tell me what user > > accounts are being > > used to auth against? Or does anyone know what events those > > would be logged > > as? Any help is always greatly appreciated. > > > > > > e- > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
