Spam spam spam...

[Ryan]

One of my colleagues is getting lots of mail like the following:

From: System Administrator
Sent: 31 March 2008 10:01
To: <colleague>
Subject: Undeliverable: {Spam?} Óïðîùåííàÿ ñèñòåìà íàëîãîîáëîæåíèÿ â 2008 ã.

Your message did not reach some or all of the intended recipients.

Subject: {Spam?} Упрощенная система налогообложения в 2008 г.
Sent: 31/03/2008 08:12

The following recipient(s) could not be reached:

foo@pgpi.ru on 31/03/2008 10:04
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
<mail-pgpi.pgpi.local #5.1.1>

From: System Administrator
Sent: 31 March 2008 12:01
To: <colleague>
Subject: Undeliverable: *****SPAM***** Hermes

Your message did not reach some or all of the intended recipients.

Subject: *****SPAM***** Hermes
Sent: 01/04/2008 05:19

The following recipient(s) could not be reached:

gerichdd@neoperl.com on 31/03/2008 11:58
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< mail1.nrgnetworks.com #5.0.0 smtp; 550 unknown user <gerichdd@neoperl.com>>

It obviously looks like it's being bounced back to here. Is it likely her machine is zombified, or is it just speculative spam? It's coming from all over the place.

Bottom line, how do i stop it? She's getting about 30 per day atm.

[Ric_]

Those messages do look like bounce backs... her machine isn't being used as a relay is it?

Get the AV and AS tools out!

[DMcCoy]

Sometimes the domain or address is used, I've had over 4000 bounced back in a single day before, and it certainly wasn't a compromised machine.

[Ryan]

AV came back clean (McAfee 8.5). I'll try a SpyBot search today methinks.

Is there a way to check Exchange to see if her account is indeed sending out those emails initially?

[Ric_]

@Ryan: You can use message tracking to see what mail has been sent from her account.

[Ryan]

I've turned on message tracking to see if that yields anything. Thanks Ric

@DMcCoy - how did you resolve that? Or did you?

[ZeroHour]

@DMcCoy - how did you resolve that? Or did you?

There is nothing you can do if a spammer spoofs email to come from your domain. You just need to control the NDR messages really.

[Ryan]

You just need to control the NDR messages really.

Go on...

[Geoff]

There is nothing you can do if a spammer spoofs email to come from your domain.

You could implement SPF.

SPF: Project Overview

[ZeroHour]

@Geoff: SPF is still considered fairly toothless. Not many truely use it to weight against a server. I have used SPF in the past and even when I break the SPF (so it read "fail" in the header) the email still does not get filtered.

@Ryan: there is not much you can do to block NDR's as you still need them for real NDR. Just educate the staff saying if you receive a bounce and didnt send anything, ignore it generally.

[Ryan]

Hmm. It may be time to bite the bullet and give her an alternate email address then. Cheers lads.

[Geoff]

@Geoff: SPF is still considered fairly toothless. Not many truely use it to weight against a server. I have used SPF in the past and even when I break the SPF (so it read "fail" in the header) the email still does not get filtered.

I do, because I have an up to date Spam Assassin installation. It will factor in SPF information in it's 'spaminess' score. While I agree SPF isn't the perfect solution, it's one of the best ones on the table at the moment. So unless you can come up with a better idea, what's the problem with implementing it. Even if it doesn't get rid of all the spam, it'll cut down on a percentage.

[JamesC]

@Geoff: SPF is still considered fairly toothless. Not many truely use it to weight against a server. I have used SPF in the past and even when I break the SPF (so it read "fail" in the header) the email still does not get filtered.

I have implemented it, and I know for a fact it is used by hotmail servers. When I have tested it and it blocks email fine. Perhaps you misconfigured your spf record?