locked
Exch 2010 Duplicate Spam - Same Message ID - Different Envelope Sender

    Question

  • Hello,

    We are running Exchange 2010 with Symantec Mail Security /Premium Antispam services and RBL's but suddenly are receiving dozens of duplicate messages from external senders over the last few months on many user accounts.

    The message ID is the same for each copy, but the header shows the time being slightly different and using different "envelope-from" addresses. 

    Does anyone have a suggestion on what configuration would block or prevent this traffic to a greater extent?

    Thanks!!!

    FIRST HEADER------------------------------------------------

    Received: from essilorusa.idlall.com (45.43.78.116) by myexchangeserver.myserver.com
     (x.x.x.x) with Microsoft SMTP Server id 14.3.195.1; Tue, 3 Nov 2015
     08:30:03 -0600
    Received: by essilorusa.idlall.com id h73gim0001gg for
     <user@myexchangeserver.myserver.com>; Tue, 3 Nov 2015 11:27:10 -0500 (envelope-from
     <CashMedina@essilorusa.idlall.com>)
    To: <user@myexchangeserver.myserver.com>
    Message-ID: <0151103050245.1992.81226FREG.0EY615@essilorusa.idlall.com>
    From: Business Class Flights <steve@idlall.com>
    Subject: Fly in style
    Reply-To: <steve@idlall.com>
    Bounce-No-Content: <020360422/563452A15ET/45367456>
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="Hv3fIfJeU7G6N0UvNxX1V14f"
    Date: Tue, 3 Nov 2015 11:30:35 -0500
    Return-Path: CashMedina@essilorusa.idlall.com
    X-MS-Exchange-Organization-AuthSource: myexchangeserver.myserver.com
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: idlall.com
    X-MS-Exchange-Organization-SenderIdResult: Pass
    Received-SPF: Pass (myexchangeserver.myserver.com: domain of steve@idlall.com
     designates 45.43.78.116 as permitted sender)
     receiver=myexchangeserver.myserver.com; client-ip=45.43.78.116;
     helo=essilorusa.idlall.com;
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-PCL: 2
    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus
     Pass;TIME:TimeBasedFeatures;OrigIP:45.43.78.116
    X-Brightmail-Tracker:
     H4sIAAAAAAAAC+NgFmpnk+JIrShJLcpLzFFi42LR1fYr0f16xCLMYOadnueMFg/fPGZ2YPR4MOshUwBjFGtmXlJ+RQJrxoUv59kL7rUyVuz51M3awDg9pIuRi0NIYCmjxPrHC9kgnOWMEm3Xr7N2MXJyiAjIStw6cZcFxOYVcJfovniYHcRmE9CXuLDwI5gtLCAqcWRCPxuILSQgI7H8+3mwXiYBY4lF054zQ/QKSpyc+QRsDrOAh8StQ7/BelkEVCRuH3nHAtGrK3HsxzsmEFtCIFDi/sfJbBC2vcS7Z5egbAeJT+e/MELYdhKtPb+ZYGpOTFoEVaMj8WbibKi4lURL5w1WCDtcou3cfqi4lkTXs2ZmCFtfom9lLzvEDZcYJfZtCYCIK0qc/XSSBca+N3sSKyiAJASaGCVut75im8AoNQvJb7OQ/AZh60gs2P2JDVONvMT2t3OYIWxtiTMHHjPhUrOAkWMVo4SjS5ijn7OroZFeYkpZYl5yanJ+sV5yfu4mRmDEczFyFuxgXLnD/RCjJAeTkijvo/0WYUJ8SfkplRmJxRnxRaU5qcWHGGU4OJQkeC8dAsoJFqWmp1akZeYAUw9MmomD8xCjBAePkgjvpoNANbzFBYm5xZnpEPlTjMYcTxbcXMvEseDnkq1MQix5+XmpUuK8wiDjBEBKM0rz4KbBkuMlRlkpYV6pbUA1PAWpRbmZJajytxj5oCZBBV4xinMwKgnzWoCM5cnMK4E74BXQbUxAtzG1gt1WkoiQkmpgXOP8c9P12c2qV9ddq/cu2Xjd6EyEoZ9ky6ebacpf3MP+/pqV1JZ2qf3Xhe+JDxlmxOr5/3WxiazTduJ/eMFW8uBH06k+S5l18iKtgou3lZ6euqzh2JyZIZbrOifcXBvELaBxYdLxBR5e7HPePQ01edKdU3NYfnFWt9SvL1uPtX05Eq60isfdR4mlOCPRUIu5qDgRAN988feaAwAA
    X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;560070720;0;info

    ------------------------------------------------------------------------------------------------------------------------

    SECOND HEADER ------------------------------------------

    Received: from essilorusa.idlall.com (45.43.78.116) by myexchangeserver.myserver.com
     (x.x.x.x) with Microsoft SMTP Server id 14.3.195.1; Tue, 3 Nov 2015
     08:29:52 -0600
    Received: by essilorusa.idlall.com id h73gk40001g4 for
     <user@myexchangeserver.myserver.com>; Tue, 3 Nov 2015 11:25:16 -0500 (envelope-from
     <MaryCross@essilorusa.idlall.com>)
    To: <user@myexchangeserver.myserver.com>
    Message-ID: <0151103050245.1992.81226FREG.0EY615@essilorusa.idlall.com>
    From: Business Class Flights <steve@idlall.com>
    Subject: Fly in style
    Reply-To: <steve@idlall.com>
    Bounce-No-Content: <020360422/563452A15ET/45367456>
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="Hv3fIfJeU7G6N0UvNxX1V14f"
    Date: Tue, 3 Nov 2015 11:30:58 -0500
    Return-Path: MaryCross@essilorusa.idlall.com
    X-MS-Exchange-Organization-AuthSource: myexchangeserver.myserver.com
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-PRD: idlall.com
    X-MS-Exchange-Organization-SenderIdResult: Pass
    Received-SPF: Pass (myexchangeserver.myserver.com: domain of steve@idlall.com
     designates 45.43.78.116 as permitted sender)
     receiver=myexchangeserver.myserver.com; client-ip=45.43.78.116;
     helo=essilorusa.idlall.com;
    X-MS-Exchange-Organization-SCL: 0
    X-MS-Exchange-Organization-PCL: 2
    X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus
     Pass;TIME:TimeBasedFeatures;OrigIP:45.43.78.116
    X-Brightmail-Tracker:
     H4sIAAAAAAAAC+NgFmplk+JIrShJLcpLzFFi42LR1fYr0X19xCLM4F57z3NGi4dvHjM7MHo8mPWQKYAxijUzLym/IoE148KX8+wF91oZK/Z86mZtYJwe0sXIxSEksJRR4kXzNnYIZxmjxK07W1m6GDk5RARkJW6duAtm8wq4S3RfPMwOYrMJ6EtcWPgRzBYWEJU4MqGfDcQWEpCRWP79PCuIzSRgLLFo2nNmiF5BiZMzn4DNYRbwkLh16DdYL4uAisSHbzOAajiAenUkfq0pBDElBAIlPr7WAqmQELCXePfsEhuE7SDx6fwXRgjbTqK15zcTTM2JSYuganQk3kycDRW3kmjpvMEKYYdLtJ3bDxXXkuh61swMYetL9K3sZYe4/hKjxL4tARBxRYmzn06ywNj3Zk9iBQWPhEATo8Tt1ldsExilZiH5bBaSzyBsHYkFuz+xYaqRl9j+dg4zhK0tcebAYyZcahYwcqxilHB0CXP0c3Y1NNJLTClLzEtOTc4v1kvOz93ECIx2LkbOgh2MK3e4H2KU5GBSEuV9tN8iTIgvKT+lMiOxOCO+qDQntfgQowwHh5IE76VDQDnBotT01Iq0zBxg2oFJM3FwHmKU4OBREuHddBCohre4IDG3ODMdIn+K0ZjjyYKba5k4FvxcspVJiCUvPy9VSpxXGGScAEhpRmke3DRYYrzEKCslzCu1DaiGpyC1KDezBFX+FiMf1CSowCtGcQ5GJWFeC5CxPJl5JXAHvAK6jQnoNqZWsNtKEhFSUg2MAT8nVpWUVd/47KaWn27E9/TH/2syX1yES9xbddIsXolWM7FN3j3zQMzcWrU5DqbFrTu/e5zXl5uZWKHf79wvXHBP5bP/vnMHrI7FnNjQXh61fe2dqzvdU/9Mk3utEm78LOL3pqKD8i/OvTvVKeb7wiKqrvzxRalrBsfvc65/lqlmlKgbc1JLiaU4I9FQi7moOBEAV//PNpgDAAA=
    X-MS-Exchange-Organization-AVStamp-Mailbox: SYMANTEC;560070720;0;info

    Thursday, November 5, 2015 12:10 AM

Answers

  • Hi eleska,

    Thank you for your question.

    I think there are some corrupted with Symantec Mail Security, we suggest you contact the Symantec to get help.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Thursday, November 5, 2015 6:41 AM
    Moderator

All replies

  • Hi eleska,

    Thank you for your question.

    I think there are some corrupted with Symantec Mail Security, we suggest you contact the Symantec to get help.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Thursday, November 5, 2015 6:41 AM
    Moderator
  • Did you ever find an answer for this. One of my customers is experiencing the same problem.  Would love to know what you did.  Symantec did not have any real answers for me.
    Monday, January 18, 2016 6:29 PM
  • Anyone figure out an answer for this? I am in the same situation.
    Monday, October 10, 2016 6:04 PM
  • Anyone has a solution on this?
    Monday, October 10, 2016 6:12 PM