Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Spoofed?

0 views
Skip to first unread message

Dave

unread,
Jan 21, 2005, 2:47:02 PM1/21/05
to
Below is an email one of my clients recieved. I right clicked on the email
and then options:

Microsoft Mail Internet Headers Version 2.0
Received: from mgear.com ([xxx.xx.xx.xx] RDNS failed) by xx.com with
Microsoft SMTPSVC(5.0.2195.6713);
Fri, 21 Jan 2005 12:31:23 -0700
Date: Fri, 21 Jan 2005 11:49:33 -0800
Message-Id: <10501211149...@mgear.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "Postmaster" <postm...@mgear.com>
Sender: <postm...@mgear.com>
To: <my email address>
Subject: Undeliverable Mail
X-Mailer: <SMTP32 v8.05>
Return-Path: <>
X-OriginalArrivalTime: 21 Jan 2005 19:31:23.0562 (UTC)
FILETIME=[CAA9F8A0:01C4FFEF]

I changed some of the information to x's.

--
Dave

Lanwench [MVP - Exchange]

unread,
Jan 22, 2005, 5:47:46 PM1/22/05
to

Well, without knowing whether mgear.com or the IP /server information
belongs to you, it's hard to say.


Dave

unread,
Jan 24, 2005, 12:49:03 PM1/24/05
to
Lanwench,
Neither the IP address or mgear.com belong to me. I do not have anything to
do with either.

Lanwench [MVP - Exchange]

unread,
Jan 24, 2005, 10:25:03 PM1/24/05
to
Dave wrote:
> Lanwench,
> Neither the IP address or mgear.com belong to me. I do not have
> anything to do with either.

Then it ain't you, babe. What's your question?

Dave

unread,
Jan 25, 2005, 9:01:06 AM1/25/05
to
My question is am I being hacked/spoofed? Is my server being used to send
out emails?

Lanwench [MVP - Exchange]

unread,
Jan 25, 2005, 5:19:18 PM1/25/05
to
Dave wrote:
> My question is am I being hacked/spoofed? Is my server being used to
> send out emails?

You said someone external to your network got this, right?
And none of the IP/host info is yours?
Then it's probably spoofing, or a virus, and nothing to do with you.
But it's always good to check that your server isn't open to being used as a
relay, including authenticated relay.

Dave

unread,
Jan 25, 2005, 6:01:03 PM1/25/05
to
No, some INTERNAL got this. How do I check to see if my server is being used
as a relay?

Lanwench [MVP - Exchange]

unread,
Jan 26, 2005, 8:02:37 AM1/26/05
to
Dave wrote:
> No, some INTERNAL got this. How do I check to see if my server is
> being used as a relay?

All right, you said the recipient was a client, so I assumed you meant it
was someone external.
If you see a message that purports to be from an address internal to the
network (as in, for a domain Exchange is handling), and yet it has Internet
Mail headers, it isn't internal, and yes, it's probably a result of
spoofing. Anybody can spoof you....

Another possibility is that someone, somewhere, who has the recipient's name
in their address book, has a virus that is spoofing the sender.

In any case, it doesn't sound like it's a problem with the Exchange server.

Presuming Exchange 2000/2003:

See http://www.msexchange.org/tutorials/MF005.html for a good overview of
relaying and spam.

Also see http://www.vamsoft.com/orf/authattack.asp - if you don't have
strong/complex password policies enabled, force regular password changes,
have enabled guest, etc., someone may exploit authenticated relay. If you
don't need authenticated relay, disable it. You can always have any external
POP users use their own ISP's SMTP server for outbound mail anyway.

0 new messages