Turns out it is a Trojan:Exploit:Win32/CVE-2009-3129, at least thats what the antivirus said (the one running on Exchange) the one on the local computer hasnt seen anything...
Still dont get how this email could have been sent without the user knowing it. the user is alone in his office so he's saying no chance someone sent the email from his computer. Checked the mailbox rights, there are a couple of security groups for our IT folks that have full mailbox access, but i assume they would not do that :) On Wed, May 11, 2011 at 3:57 PM, Ellis, John P. <johnel...@wirral.gov.uk>wrote: > That changes things slightly then. > A couple of thoughts..... > Someone has jumped onto the user machine and sent the email > Does anyone have access to the users email account (maybe via Mailbox > rights permissons)? > System generated email? > An odd rule on the mailbox? > > > Is the email in the sent items folder? > Is the name of the spreadsheet the same as one that appears on your network > drives? > > > Thanks > > John > > ------------------------------ > *From:* Al Rose [mailto:arose...@gmail.com] > *Sent:* 11 May 2011 14:10 > > *To:* MS-Exchange Admin Issues > *Subject:* Re: User get NDRs without sending emails > > I tracked emails in Exchange, an email was sent around 2pm and the user > received an NDR 2 hours later. If i look at the original email, there is > only one recipient which is a recipient unknown from the user. > > After further investigation i also was told that the same email message > has been received by external users (still unkown from the user who is > supposed to have sent this message)and they actually responded to our user > saying they received an excel attachment they could not open. > > So to resume an email is sent from one of our user (even the correct > signature is in the email and contains a spreadsheet that cannot be opened). > > The user has no delegates nor granted the send as right to anyone. Only > some helpdesk staff have the send as right to so but i assume my colleagues > would not send random emails... > > > On Wed, May 11, 2011 at 10:43 AM, Ellis, John P. > <johnel...@wirral.gov.uk>wrote: > >> Worth checking the headers of the email and see if it really is >> generated by yourselves. >> If the NDRS are being generated with out a user sending an email, then it >> sounds more like spam emails. I.e someone has faked a from address (in this >> case from you domain) and send the email to an address that doesnt exist >> thus generating an NDR. >> >> HTH >> >> john >> >> ------------------------------ >> *From:* Al Rose [mailto:arose...@gmail.com] >> *Sent:* 11 May 2011 09:16 >> *To:* MS-Exchange Admin Issues >> *Subject:* User get NDRs without sending emails >> >> Hi >> >> I am seeing more and more of this problem in our environment (still >> running 2k3 SP2 Exchange servers): Users receive undeliverable NDRs without >> writing email. >> Been "googling" lately about it and apparently there are only two >> solutions: totally disable NDRs (we dont want to do that), or get an >> appliance (a magic one that will fix our problem). >> >> We currently use Antigen but only as an antivirus, as our antipsam >> filtering is done at a higher level where we dont have control. >> >> Anybody? >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist >> >> ********************************************************************** >> >> This email and any files transmitted with it are confidential and >> >> intended solely for the use of the individual or entity to whom they >> >> are addressed. If you have received this email in error please notify >> >> the system manager. >> >> This footnote also confirms that this email message has been swept by >> >> MIMEsweeper for the presence of computer viruses. >> >> www.clearswift.com >> >> ********************************************************************** >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe exchangelist >> > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist > --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
