Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Mystery NDR

45 views
Skip to first unread message

mph...@gmail.com

unread,
Nov 27, 2006, 11:17:55 AM11/27/06
to
I have a user who is intermittently getting NDR's similar to the one
below, and I can't figure out quite what's going on.

From: System Administrator
Sent: Sunday, November 19, 2006 12:13 PM
To: Murray, Bill
Subject: Undeliverable: **Message you sent blocked by our bulk
email filter**

Your message did not reach some or all of the intended recipients.

Subject: not worthy, deeds were which God, O man of your
Sent: 11/19/2006 11:11 AM

The following recipient(s) could not be reached:

Murray, Bill on 11/19/2006 12:13 PM
You do not have permission to send to this recipient. For
assistance, contact your system administrator.
< barracuda.companyname.com #5.7.1 smtp; 550 5.7.1 Message
content rejected, UBE, id=15505-01-5>

The topology is Exchange server inside the firewall, with a Barracuda
300 Spam appliance, also inside the firewall. The MX record points to
an outside address which is NAT'ed through the firewall to the
Barracuda. The Barracuda then forwards the mail onto the exchange
server. The Barracuda only handles inbound mail, it doesn't touch
outbound mail. We also run ORF on the Exchange server itself (don't
ask me why, we just do).

There is no evidence that the original message originated from the
Exchange server, but if it didn't, how would the user ever get the NDR.
Even if it DID originate from Exchange, if it going to the same user,
it would never hit the SMTP server or the Barracuda. The only way I
can see it hitting the Barracuda would be if there were some spyware
using it's own SMTP server or an external SMTP server, but then the
user shouldn't get the NDR from our Exchange server.

Has anyone ever seen this before? Am I misreading the NDR? Or is
something being spoofed?

There is no log information, either in Exchange (SMTP logging is
enabled, message tracking is not) or from Barracuda, or from ORF that
helps me figure out here this thing is coming from.

Any help would be greatly appreciated.

Thanks
Mark Haney

Rich Matheisen [MVP]

unread,
Nov 27, 2006, 9:00:18 PM11/27/06
to
mph...@gmail.com wrote:

>I have a user who is intermittently getting NDR's similar to the one
>below, and I can't figure out quite what's going on.

His SMTP address has been spoofed. He didn't send the message but it
looks like he did, so he gets the NDR.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.p...@getronics.com
Or to these, either: mailto:h.p...@pinkroccade.com mailto:melvin.mcp...@getronics.com mailto:melvin.mcp...@pinkroccade.com

MPHinPgh

unread,
Nov 28, 2006, 9:22:38 AM11/28/06
to
I was kinda figuring that, but I'm still having a hard time
understanding how our server can _apparently_ genererate an NDR for a
message that didn't originate from our server.

I find no evidence of the NDR message arriving via SMTP, so I figure it
had to come from our server. Wouldn't the SMTP server on the Exchange
box be the one to create the NDR?

I really hate all this spam crap. Makes life way too frustrating.

Thanks for the reply

Mark

Rich Matheisen [MVP]

unread,
Nov 28, 2006, 8:22:47 PM11/28/06
to
"MPHinPgh" <mph...@gmail.com> wrote:

>I was kinda figuring that, but I'm still having a hard time
>understanding how our server can _apparently_ genererate an NDR for a
>message that didn't originate from our server.

It doesn't. It just sends the NDR from the other system to his
mailbox.

>I find no evidence of the NDR message arriving via SMTP, so I figure it
>had to come from our server. Wouldn't the SMTP server on the Exchange
>box be the one to create the NDR?

Where were you looking for this "evidence"? I hope it was the SMTP
Protocol Log.

The NDR usually has information (sometimes as an attachment) that
reports the sending and reporting MTA.

>I really hate all this spam crap. Makes life way too frustrating.

No to mention "too expensive".

MPHinPgh

unread,
Nov 30, 2006, 4:12:37 PM11/30/06
to

Rich Matheisen [MVP] wrote:
> "MPHinPgh" <mph...@gmail.com> wrote:
>
> >I was kinda figuring that, but I'm still having a hard time
> >understanding how our server can _apparently_ genererate an NDR for a
> >message that didn't originate from our server.
>
> It doesn't. It just sends the NDR from the other system to his
> mailbox.
>
> >I find no evidence of the NDR message arriving via SMTP, so I figure it
> >had to come from our server. Wouldn't the SMTP server on the Exchange
> >box be the one to create the NDR?
>
> Where were you looking for this "evidence"? I hope it was the SMTP
> Protocol Log.

There and the message log on the Barracuda appliance. Nothing gets to
the Exchange server without going through the Barracuda, and it ain't
in the logs. That's what has me so confused.


>
> The NDR usually has information (sometimes as an attachment) that
> reports the sending and reporting MTA.
>
> >I really hate all this spam crap. Makes life way too frustrating.
>
> No to mention "too expensive".

I wouldn't mind the expensive part if it fixed the frustrating part ;-)

Rich Matheisen [MVP]

unread,
Nov 30, 2006, 9:41:30 PM11/30/06
to
"MPHinPgh" <mph...@gmail.com> wrote:

>
>Rich Matheisen [MVP] wrote:
>> "MPHinPgh" <mph...@gmail.com> wrote:
>>
>> >I was kinda figuring that, but I'm still having a hard time
>> >understanding how our server can _apparently_ genererate an NDR for a
>> >message that didn't originate from our server.
>>
>> It doesn't. It just sends the NDR from the other system to his
>> mailbox.
>>
>> >I find no evidence of the NDR message arriving via SMTP, so I figure it
>> >had to come from our server. Wouldn't the SMTP server on the Exchange
>> >box be the one to create the NDR?
>>
>> Where were you looking for this "evidence"? I hope it was the SMTP
>> Protocol Log.
>
>There and the message log on the Barracuda appliance. Nothing gets to
>the Exchange server without going through the Barracuda, and it ain't
>in the logs. That's what has me so confused.

I'm pretty sure Exchange doesn't have a "bulk email filter", so it's a
good bet it didn't come from your server.

You say it's not in the logs, and I assume that's your spam filter's
logs, but what about the SMTP protocol logs on Exchange?

If the guy repeatedly gets the /same/ NDR, set up the spam filter to
send a copy of the message as an attachment to you. Then you'll have a
clean copy of the message.

As to the "nothing gets to Exchange" bit, I can't prove or disprove
any of that. But the NDR is not only TO "Murray, Bill" at your site,
the message was FROM the same person. The NDR also looks like it has
your spam filter's FQDN in the NDR. That being the case, the message
that was refused by "barracuda.companyname.com" should be found in
that machine's SMTP log (not in the message log, becasue the message
was never accepted).

You /may/ have an infected machine on your LAN. But you'll need the
log files to prove it.

>> The NDR usually has information (sometimes as an attachment) that
>> reports the sending and reporting MTA.
>>
>> >I really hate all this spam crap. Makes life way too frustrating.
>>
>> No to mention "too expensive".
>
>I wouldn't mind the expensive part if it fixed the frustrating part ;-)

If sapm wasn't intentionally confusing it'd be easy to stop. :-(

0 new messages