How can I find out if someone is using my mail server to forward
message, who they are? Destination Host - shows onesfamily.net
Originator shows <> and how do I stop them.

Dear jackiei,

I have good news and bad news. The bad news is that it may not be possible
to determine who is abusing your email server. The good news is that
it is not necessary or even helpful to know who they are, since you can
stop the abuse regardless by installing a recent Exchange service pack from
Microsoft Support.

There is no surefire method to determine the originator of a forged email
message. As with counterfeit money, although there are general trends,
each case has unique details. But unlike fake bills, if the email forgery
is carried out by especially proficient hackers, there will be no way
at all to determine where it came from, since the email protocol, called
SMTP, is not designed to ensure proof of sender or of recipient.

There are, however, general guidelines that can help you find out where
a piece of email came from if the perpetrators were not sufficiently
careful in covering their traces. According to the Carnegie Mellon CERT
Coordination Center, a national clearinghouse for computer-security
advisories and research, you should peruse the full email header to see
what servers it passed through on its way to you. The header is easily
falsified, however. You can also scan the tcp_wrapper, ident, and sendmail
logs of Microsoft Exchange in search of clues to the sender's identity.

The CERT Coordination Center recommends that you send a copy of any
spoofed message to them for recordkeeping and possible analysis.

"3. Follow up with other sites involved in this activity, if you can
identify the sites. Contact them to alert them to the activity and help
them determine the source of the original email.

"We would appreciate a cc to cert@cert.org on your messages; this
facilitates our work on incidents and helps us relate ongoing intruder
activities.

"... To find site contact information, please refer to

"http://www.cert.org/tech_tips/finding_site_contacts.html

"You may also want to contact the postmaster at sites that may be
involved. Send email to

"postmaster@[host.]site.domain (for example, postmaster@cert.org)

"Please include a copy of this document in your message to sites."

CERT Coordination Center: Spoofed/Forged Email: What You Can Do: Reaction
http://www.cert.org/tech_tips/email_spoofing.html

The best solution to the problem of spoofed, forged, and spammed messages
is not to approach the perpetrator, since there is not much you can do
short of filing a lawsuit, but to erect technological barriers against all
such miscreants. The particular case you describe, where the Originator
of a message is blank and the Destination Host is someone unknown to you,
is well known to Windows system administrators. It is a symptom of one
of the techniques spammers use to get their email delivered from someone
else's server, in the hope of avoiding detection or filtering by the
intended recipient's security software.

The idea is that the spammer sends email with a bogus recipient name
to your mail server, which, upon finding that it cannot make delivery,
returns the message to its putative sender. But the header has been
forged, so the email is in fact sent to its true recipient, which the
spammer falsely identified as the sender. In such a scheme, you are not
the target of the spam, but merely the man in the middle.

The following web page describes the phenomenon you have experienced,
calling it a "Reverse NDR attack".

"What is a reverse NDR attack?

"Spammers have a new means to avoid filters built into many systems.
They take advantage of a mail systems sending of a non-delivery report
(NDR) when a message cannot be delivered as addressed and returns the
original contents.

"How do I know that my server is suffering from a Reverse NDR attack?

"... Take note of the originator in the outbound queue, if you see <>
under orignator 99% of the time it will be a spam mail that has generated
an NDR.  If you see hundreds/thounsands of these then you are most likely
suffering a RNDR attack on your exchange server."

Tek-Tips Forums: Non-Delivery Reports: How do I combat a Reverse NDR attack?
http://www.tek-tips.com/faqs.cfm?pid=10&fid=5018

Although Exchange originally did not support any options for suppressing
this method of spam delivery, Microsoft has since released a relevant
software patch. You can obtain this patch, numbered KB837794, at no cost
from Microsoft Support.

"An update to Microsoft Exchange Server 5.5 is available that introduces
a new feature that you can use to control how non-delivery reports (NDR)
are processed by the Internet Mail Service. After you apply the hotfix
that is described in this article, add the SuppressNDROptions registry
entry to the following registry subkey. Then, set the SuppressNDROptions
registry entry to the appropriate value, depending on whether you want
the Internet Mail Service to suppress or deliver NDRs:

"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIMC\Parameters"

"... This hotfix requires Microsoft Exchange Server 5.5 Service Pack 4 (SP4)."

Update available in Exchange Server 5.5 to control whether the
Internet Mail Service suppresses or delivers NDRs
http://support.microsoft.com/?kbid=837794

To carry out the instructions given on the page above, you can download
the necessary service pack, Exchange Server 5.5 Service Pack 4, from
the following page.

Microsoft Windows Server System: Exchange Server 5.5 Service Pack 4 Overview
http://www.microsoft.com/exchange/downloads/55/sp4.asp

A more elaborate solution that requires extensive technical expertise,
but holds great promise in the long run, is to subscribe to the Sender
Policy Framework, which imposes industrial-strength cryptographic
requirements on email authentication.

SPF: Sender Policy Framework
http://spf.pobox.com/

In the meantime, the Exchange Server 5.5 Service Pack 4 should do the
trick of suppressing the bouncing of spam messages from your server.

If you feel that my answer is incomplete or inaccurate in any way, please
post a Clarification Request so that I have a chance to meet your needs
before you assign a rating.

Regards,

leapinglizard


Search Queries:

exchange originator <>
://www.google.com/search?hl=en&q=exchange+originator+%3C%3E

forged email
://www.google.com/search?hl=en&lr=&c2coff=1&q=forged+email

Easy!! :)

<> is a bounce message...

For example: If I send a mail to your organization and this e-mail is
not valid (do not exists), mailbox full, or other errors, the "Mail
Server" (software) automatically send a "Bounce".

Bounce is a message to "source", notifying that e-mail cannot be delivered... 

In actual days, because a SPAM (that uses a "scanning technique")
leads to a very large ammount of "bounce" messages... Is OK, this is
NOT A SECURITY problem, this is NOT a exchange problem... is normal.

However, in our ISP, 60% of "sent messages" is an "Bounce message"

Depends on your version of exchange server.
In order to use your server to send an email your server must be setup
to relay email. By default it is not.  You can do a search for "stop
email relay" and your version of exchange server to get more
information.. Unless you set it up to allow relaying more than likely
it is not.

gf999111 is correct.  Disable mail relaying, and this won't be an
issue.  In Exchange 5.5, this is fairly simple.  I an mot sure (yet)
with 2000 or 2003, but it can't be any harder. I use to get a lot of
relaying from our server, and was even notified that we would be
banned if we did not disable it.  Since then, we have not had any
problems.

:-)