We had something similar a while ago and it was a worm on the users
machine. It had both McAfee and Spysweeper and they found nothing . I
never did track it down completely. If you run something like
MailSweeper set it to quarantine his outgoing. Getting off the black
lists took days. The one we had even set up a rule so that the NDRs
coming in were deleted, but left them in deleted items folder.
Dave Wade
________________________________
From: Al Rose [mailto:arose...@gmail.com]
Sent: 13 May 2011 10:51
To: MS-Exchange Admin Issues
Subject: Re: User get NDRs without sending emails
Turns out it is a Trojan:Exploit:Win32/CVE-2009-3129, at least
thats what the antivirus said (the one running on Exchange) the one on
the local computer hasnt seen anything...
Still dont get how this email could have been sent without the
user knowing it.
the user is alone in his office so he's saying no chance someone
sent the email from his computer.
Checked the mailbox rights, there are a couple of security
groups for our IT folks that have full mailbox access, but i assume
they would not do that :)
On Wed, May 11, 2011 at 3:57 PM, Ellis, John P.
<johnel...@wirral.gov.uk> wrote:
That changes things slightly then.
A couple of thoughts.....
Someone has jumped onto the user machine and sent the
email
Does anyone have access to the users email account
(maybe via Mailbox rights permissons)?
System generated email?
An odd rule on the mailbox?
Is the email in the sent items folder?
Is the name of the spreadsheet the same as one that
appears on your network drives?
Thanks
John
________________________________
From: Al Rose [mailto:arose...@gmail.com]
Sent: 11 May 2011 14:10
To: MS-Exchange Admin Issues
Subject: Re: User get NDRs without sending emails
I tracked emails in Exchange, an email was sent around
2pm and the user received an NDR 2 hours later. If i look at the
original email, there is only one recipient which is a recipient unknown
from the user.
After further investigation i also was told that the
same email message has been received by external users (still unkown
from the user who is supposed to have sent this message)and they
actually responded to our user saying they received an excel attachment
they could not open.
So to resume an email is sent from one of our user (even
the correct signature is in the email and contains a spreadsheet that
cannot be opened).
The user has no delegates nor granted the send as right
to anyone. Only some helpdesk staff have the send as right to so but i
assume my colleagues would not send random emails...
On Wed, May 11, 2011 at 10:43 AM, Ellis, John P.
<johnel...@wirral.gov.uk> wrote:
Worth checking the headers of the email and see
if it really is generated by yourselves.
If the NDRS are being generated with out a user
sending an email, then it sounds more like spam emails. I.e someone has
faked a from address (in this case from you domain) and send the email
to an address that doesnt exist thus generating an NDR.
HTH
john
________________________________
From: Al Rose [mailto:arose...@gmail.com]
Sent: 11 May 2011 09:16
To: MS-Exchange Admin Issues
Subject: User get NDRs without sending emails
Hi
I am seeing more and more of this problem in our
environment (still running 2k3 SP2 Exchange servers): Users receive
undeliverable NDRs without writing email.
Been "googling" lately about it and apparently
there are only two solutions: totally disable NDRs (we dont want to do
that), or get an appliance (a magic one that will fix our problem).
We currently use Antigen but only as an
antivirus, as our antipsam filtering is done at a higher level where we
dont have control.
Anybody?
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist
**********************************************************************
This email and any files transmitted with it are
confidential and
intended solely for the use of the individual or
entity to whom they
are addressed. If you have received this email
in error please notify
the system manager.
This footnote also confirms that this email
message has been swept by
MIMEsweeper for the presence of computer
viruses.
www.clearswift.com
**********************************************************************
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe exchangelist
