locked
Undeliverable messages RRS feed

  • Question

  • I have a user that is getting a lot of System Administrator notices of undeliverable messages that she never sent. Could this be a virus causing this or could anyone point me in the right direction on what to check? Thanks
    Monday, March 29, 2010 12:19 PM

Answers

  • Hi,

    Administrator do have send as permission.

    I think that could be spam.  The Outlook spam filter does not recognize the NDR as spam. It does not redirect the NDR to the Junk E-mail folder, as expected.  It has been reported as a known issue and has been solved in the latest update.

    Please try to apply the latest update for Exchange 2003 to solve the problem.

    More information to share with you:

    A sender of spam uses the following method, known as the reverse NDR method, to deliver the messages:

    1.

    The sender creates an e-mail message that has the e-mail addresses of the targeted recipients in the From box.

    2.

    The sender inserts a fictitious e-mail address in the To box. The user name in the fictitious e-mail address does not exist, but the domain name is valid.

    When this message reaches the valid domain, the mail server generates an NDR because the user name does not exist. This NDR is directed to the e-mail addresses in the From box. The targeted recipients may assume that this NDR is a genuine message that was returned because of an error. Therefore, they read the message.

     

    Regards,

    Xiu

     

     

    • Marked as answer by Xiu Zhang Tuesday, April 6, 2010 5:09 AM
    Thursday, April 1, 2010 5:38 AM

All replies

  • Check whether you are using any spam solution and configured user mailbox in notification field. Try to see header message of mails, But i belive that there is no header availbale for NDR message.


    Anil
    • Proposed as answer by Anil K Singh Monday, March 29, 2010 1:27 PM
    Monday, March 29, 2010 1:26 PM
  • I'd check her sent items. If she has lots of messages in there her account has been used to send out spam. You may also be getting hit with backscatter.
    Mark Morowczynski|MCT| MCSE 2003:Messaging, Security|MCITP:EMA 2K7,EDA Win 7,ES,SA,EA|MCTS:Windows Mobile Admin|Security+|http://almostdailytech.com
    Monday, March 29, 2010 5:47 PM
  • Hi,

    I recommend you to check if you have send as/ full access permission granted on the administrator account.

    Please verify if you have open relay configured.

    Please try to use message tracking tool to check the issue.

    Regards,

    Xiu

     

    Tuesday, March 30, 2010 3:52 AM
  • I verified that the open replay is not configured.

     

    She doesnt have any messages in her sent that that coraspond with the Undeliverable ones.  I checked the header file and I see in the from a different name than the users and the users email address after it.

    I am useing Exchange 2003. I have a external spam service I subscribe to that filters on incoming mail. Some of the undeliverables come up with SPAM in the subject line but there are a lot that don't.

    Can you refresh me on were I check the send as/full access permissions?

     

    Thanks

    Tuesday, March 30, 2010 1:23 PM
  • Hi,

    You can check it via the following steps:

    1. In Active Directory Users and Computers, right-click the organization domain name, point to View, and then click Advanced Features.

    2. Click the Users container or the organizational unit where the user is located.

    3. Right-click the user account, and then click Properties.

    4. Click Security, and then click the user or group to whom you want to grant permissions.

    5. Try to find the account which you have send as permission granted.

    Regards,

    Xiu

    Wednesday, March 31, 2010 5:46 AM
  • Hi,

    You can check it via the following steps:

    1. In Active Directory Users and Computers, right-click the organization domain name, point to View, and then click Advanced Features.

    2. Click the Users container or the organizational unit where the user is located.

    3. Right-click the user account, and then click Properties.

    4. Click Security, and then click the user or group to whom you want to grant permissions.

    5. Try to find the account which you have send as permission granted.

    How to Manually Grant Send As Permissions to a User with Full Mailbox Access
     
    Besides, What is the value in "From" please post here.

    Regards,

    Xiu

    Wednesday, March 31, 2010 5:49 AM
  • Here is the value from the header file that said Who it was sent from "From: "Humberto Arthur" <user@domain.com>" The name dosent match the user and they seam to be all different in the others she got back.

    I checked the Send As permissions. They are set to "Allow" on the Administrators account. Should it not be set to Allow????

     

    Thanks

    Dan

    Wednesday, March 31, 2010 1:48 PM
  • Hi,

    Administrator do have send as permission.

    I think that could be spam.  The Outlook spam filter does not recognize the NDR as spam. It does not redirect the NDR to the Junk E-mail folder, as expected.  It has been reported as a known issue and has been solved in the latest update.

    Please try to apply the latest update for Exchange 2003 to solve the problem.

    More information to share with you:

    A sender of spam uses the following method, known as the reverse NDR method, to deliver the messages:

    1.

    The sender creates an e-mail message that has the e-mail addresses of the targeted recipients in the From box.

    2.

    The sender inserts a fictitious e-mail address in the To box. The user name in the fictitious e-mail address does not exist, but the domain name is valid.

    When this message reaches the valid domain, the mail server generates an NDR because the user name does not exist. This NDR is directed to the e-mail addresses in the From box. The targeted recipients may assume that this NDR is a genuine message that was returned because of an error. Therefore, they read the message.

     

    Regards,

    Xiu

     

     

    • Marked as answer by Xiu Zhang Tuesday, April 6, 2010 5:09 AM
    Thursday, April 1, 2010 5:38 AM