Server Sends Duplicate Meeting Requests To Mystery Address
Killrob
send out a meeting request which will work normally and go to each attendee
as expected. But sometimes (I can’t see any pattern to it) a duplicate
meeting request will also be generated one second later. This second meeting
request only has one attendee at an unknown email address that is not in our
domain.
The address is b...@me.com. I can’t find the source of this email address.
It’s not in the Outlook Contacts of the various users who create the meeting
requests. And it’s not in the Outlook auto-complete cache of the users
either. It’s not in the Global Catalog or in Active Directory as far as I can
tell. How do I thoroughly search AD? Are there other places it may hide?
But it gets even stranger. One of my users has suddenly started getting NDRs
saying 550 5.7.1 Relaying to <b...@me.com> denied (authentication required).
That user is not the one sending out the meeting request, or even one of the
attendees. I searched our email archive and these duplicate meeting requests
have been occurring randomly since this past May. I checked the headers of
each of these duplicates and for most of them (but not all of them) there is
an extra Sender: line.
The From/To portion in the email header of the initial meeting requests look
like this:
From: "Organizer" <orga...@ourdomain.com>
To: "Attendee 1" <atte...@ourdomain.com>
" Attendee 2" < atte...@ourdomain.com>
" Attendee 3" < atte...@ourdomain.com>
But in the duplicates I see this:
From: "Organizer" <orga...@ourdomain.com>
Sender: "UserX" <us...@ourdomain.com>
To: <b...@me.com>
The Sender line has been added and the mystery To: address is there. UserX
is the one getting the NDRs. That user is neither the organizer nor one of
the attendees. And it’s only this one user. No other users are ever found in
the extra Sender: line. What is the Sender: line and how is it different from
the From: line?
Could this be some kind of virus? It only happens on meeting requests, not
on regular emails. And since these duplicates have been going out since May
why is it only now that the NDRs are appearing?
Rich Matheisen [MVP]
[ snip ]
>The Sender line has been added and the mystery To: address is there. UserX
>is the one getting the NDRs. That user is neither the organizer nor one of
>the attendees. And it’s only this one user. No other users are ever found in
>the extra Sender: line. What is the Sender: line and how is it different from
>the From: line?
The "Sender:" header is how you convey the "Sent on behalf of"
information. The "Sender: is the person that sent the message, the
"From:" header" is the person on whose behalf the message was sent.
Look for "Userx" being a delegate of "Organizer".
>Could this be some kind of virus?
Yes, it's one that's commonly caused by people forgetting what they've
done. I think the name is PEBKAC. :-)
>It only happens on meeting requests, not
>on regular emails.
Sure sounds like delegate access to me!
>And since these duplicates have been going out since May
>why is it only now that the NDRs are appearing?
Maybe the admin at the me.com domain just got tired of your server
sending those unwanted meeting requests?
--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.p...@getronics.com
Or to these, either: mailto:h.p...@pinkroccade.com mailto:melvin.mcp...@getronics.com mailto:melvin.mcp...@pinkroccade.com
Killrob
I checked with a few of the users that were the organizer on some of these
and they do not have UserX as a delegate.
I also used a command similar to this...
c:\>ldifde -f delegates.txt -d "ou=users,dc=domain,dc=com" -l
name,publicDelegates,publicDelegatesBL -r
"(|(publicDelegates=*)(publicDelegatesBL=*))"
...to see if any one had any delegates and it came back with No Entries Found.
Any other possibilities?
Rich Matheisen [MVP]
A rule in the mailbox that Outlook isn't showing you? MDBVU2 would be
the tool to start with.
Rich Matheisen [MVP]
. . . or running Outlook with the /cleanrules switch.
Killrob
Thanks again Rich. I didn't think to check the rules. Sure enough UserX had
a rule to forward all incoming meeting requests to b...@me.com. It was right
there in Outlook - not hidden at all. The question that remains is how that
rule got in there.
I checked with the user and she definitely did not put it in there. She has
never used rules at all. Are there ways to make rules automatically generate
themselves? Can an email contain a link that creates the rule for you if you
click it?
Rich Matheisen [MVP]
The only automatic ones are when creating delegates, but those are
usually not visible to the user.