Video Screencast Help

Help how do i stop all these Undeliverable: messages

Created: 07 Dec 2008 • Updated: 21 May 2010 | 9 comments

hey all,

the setup of our email includes postfix -- brightmail -- exchange 2007, all of our employees are getting loads of Undeliverable emails and i have no idea how to stop them, an example is below. i have done some digging in logs etc and dispostion is open proxy list and says it sends a notification and deletes message, another post said something about the default-firewall policy which is not editable! please help its driving me crazy!

 

EXAMPLE MAIL:

 

Delivery has failed to these recipients or distribution lists: {removed}
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.  

 

Diagnostic information for administrators: 

Generating server: ms-mail-1 

 

{removed}

#< #5.0.0> #SMTP# 

Original message headers: 

 

X-AuditID: 0afe011b-0000018000000538-06-493b1b6866b7
Received: from relaymail.piit.co.uk ([192.168.x.x] RDNS failed) by
 ms-mail-1.partners-in-it.co.uk with Microsoft
 SMTPSVC(6.0.3790.3959);         Sun, 7 Dec 2008 00:40:08 +0000
Received: from CPE-58-161-67-181.nsw.bigpond.net.au (cpe-58-161-67-181.nsw.bigpond.net.au [58.161.67.181])
            by relaymail.piit.co.uk (Postfix) with SMTP id 87E2A1382FF
            for <{removed}>; Sun,  7 Dec 2008 00:40:04 +0000 (UTC)
To: <{removed}>
Subject: Your order
From: <{removed}>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-ID: <20081207004004.87E2A1382FF@relaymail.piit.co.uk>
Date: Sun, 7 Dec 2008 00:40:04 +0000

 

[Edited: Removed personal information per the community rules and regulations.]

Message Edited by Brad_C on 12-07-2008 02:15 PM
Discussion Filed Under:

Comments 9 CommentsJump to latest comment

Ian McShane's picture

Hi,

 

Are these genuine NDR/DSNs or is this backscatter spam?

 

--ian

Jesters's picture

Im not sure as the info shows as being from a genuine user at organisation.com to the same genuine user at organisation.com but the Received: from line shows some different external domain and this varies in different messages.

 

????

Ian McShane's picture

OK, if you aren't sure if they are genuine then before you do anything i'd suggest you take a look through Exchange tracking to see if the external domain is sending DSNs in response to valid messages.

You could also look at some kind of postfix milter for BATV.

 

--ian

 

Jesters's picture

Thanks for the reply - these are definatelty unwanted messages. There are no logs on exchange about this mail that i can find and the mail when it arrives in outlook has no sender with subject of "Undeliverable: Order status". From my limited knowledge of the syamntec product/logs it looks like someone is almost trying to spoof our domain to send these messages to a users and the user ~ confusing for me

 

Delivery has failed to these recipients or distribution lists:

joesmith @piit.co.uk
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

 

 

X-AuditID: 0afe011b-000000b800000538-de-4939059c7df4
Received: from relay1.piit.co.uk ([192.168.253.20] RDNS failed) by
 ms-mail-hq-1.camelot.partners-in-it.co.uk with Microsoft
 SMTPSVC(6.0.3790.3959);  Fri, 5 Dec 2008 10:42:36 +0000
Received: from amantes.de (unknown [190.90.239.34])
 by relay1.piit.co.uk (Postfix) with SMTP id 051151382D2
 for <joesmith @ piit.co.uk>; Fri,  5 Dec 2008 10:42:34 +0000 (UTC)
To: <joesmith @ piit.co.uk>
Subject: Re: Order status
From: <joesmith @ piit.co.uk>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-ID: <20081205104234.051151382D2 @ relay1 . piit. co. uk>
Date: Fri, 5 Dec 2008 10:42:34 +0000

Ian McShane's picture

Here is our KB article "Eliminating backscatter messages with Symantec Brightmail Antispam 6.0.x or Symantec Brightmail Message Filter 6.1"  http://tinyurl.com/6oj9o5

 

Hope that help,

 

--ian

 

//Edited formatting

Message Edited by Ian Mcshane on 12-08-2008 09:46 AM
Jesters's picture

The product we have is Symantec Mail Security for SMTP 5.0 on Windows 2003 server so unfortunately we couldnt find custome filters anywhere - any other ideas????

Brian Soto's picture

I too am having a problem with one of my servers.  It seems that someone has been able to find a technique that allows them to relay through SMS SMTP.  We have SMS SMTP scan our email for spam/virus then forward on to our Lotus Domino server.  The Lotus Domino Server rejects any email not destined for our domain (which it should and SMS SMTP should as well).  The following is what I have found works to relay through SMS SMTP.  I have not figured out if it is a genuine bug or if we have somehow misconfigured SMS SMTP.  We have been using it for a couple of years now with no configuration changes with no problems until now.

 

Please note example:

 

 

Escape character is '^]'.
220 mailgateway2 Symantec Mail Security Wed, 7 Jan 2009 11:01:03 -0500
HELO notreal.com
250 mailgateway2 Hello [{REAL IP REMOVED}]
MAIL FROM: <SPAM@[111.111.111.111]>
250 SPAM@[111.111.111.111]....Sender OK
RCPT TO: <"SPAM@NOTREAL.COM">
250 "SPAM@NOTREAL.COM"@mailgateway2.{REAL DOMAIN REMOVED}
DATA
354 Start mail input; end with <CRLF>.<CRLF>
TEST
.
250 Queued mail for delivery
QUIT
221 mailgateway2 Service closing transmission channel
Connection closed by foreign host.

 

Laeek's picture

Hi,

 

The NDR which you are receiving is the spoofed NDR. For blocking such kind of mails at the gateway only, so you need to create a content compliance policy.

 

I.e. If from address contains envelop sender postmaster@yourdomain.com then hold message in Spam Quarantine.

& if subject contains undeliverable then hold message in Spam Quarantine.

 

I have created this policy and it work, even you can try the same and I am sure that your problem will get resolved.

Laeek's picture

Hi,

 

The NDR which are are recieving is a spoofed NDR, because any NDR doesn't comes from the Appliance your domain.com its comes from the sender's domain.com,for clarification you can double click on System Administrator and check the envelope address.