# Returned Email Message



## 22moondune (Aug 2, 2008)

We have a user at work that keeps receiving this email message in MS Outlook. I am wondering what the cause of this is, how to deal with it, and if it is a huge security risk. I have run Spyware detection programs, but none were able to locate any spyware on his computer (Spybot, Ad Aware). It says something about spoofing at the bottom of the email message. Any help would be very much appreciated. Thanks. Here is the message:

(I put in a generic name and took out the IP Address at the bottom for security purposes.)


From: Mail Delivery System [mailto:[email protected]]
Sent: Saturday, July 19, 2008 1:32 PM
To: John Smith
Subject: Undelivered Mail Returned to Sender

This is the mail system at host host2.healthjobsusa.com.

I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can delete your own text from the attached returned message.

The mail system

<[email protected]>: host Exchange server and Ip address were here said: 553 The
sender is spoofed. (in reply to MAIL FROM command)


----------



## Cellus (Aug 31, 2006)

First and foremost, is the user actually sending e-mails to that domain?

While this undeliverable message "might" be legitimate, there is cause for concern to note that it could very well be not (especially if it actually sends things to you as an attachment).


----------



## 22moondune (Aug 2, 2008)

Thanks for the help. The user had brought the issue to my attention. He advised that he was not sending any email messages to this domain. I got into his computer and checked his sent mail and just like he said, nothing showed up in his sent mail. I also noticed that their was something attached to the email as well. any suggestions how what the next steps I should take are?


----------



## grue155 (May 29, 2008)

22moondune said:


> <[email protected]>: host Exchange server and Ip address were here said: 553 The
> sender is spoofed. (in reply to MAIL FROM command)


The SMTP 553 text is an indication that the Exchange mail server believes the email to be "backscatter". Email spam uses forged addresses to send mail. When that forged sender happens to be a real user, that real user will get the bounce message. Some more details at http://en.wikipedia.org/wiki/Backscatter_(e-mail)

If the Exchange server included the mail headers in the bounce message, then you can use the Received: lines to trace back to the injection point, with the understanding that spammers will forge the Received: lines so as to mislead any such traceback.

On the possibly of malware being on the user machine, recognize that malware will quite often include its own SMTP engine, so nothing will show in the user records. To catch that, you either need to watch traffic on the wire with a network monitor like Wireshark, or have all email traffic firewalled so all inbound and outbound mail goes thru a chokepoint server that keeps logs.

In this instance, I'd more inclined to believe this is backscatter.


----------



## sobeit (Nov 11, 2007)

simply put, some spammer is using the users email address in the return secton of the account. The reality is, there is nothing you can do - just wait and it should stop in a few days.


----------



## grue155 (May 29, 2008)

sobeit said:


> simply put, some spammer is using the users email address in the return secton of the account. The reality is, there is nothing you can do - just wait and it should stop in a few days.


In my experience, once spammers start using an email address, it will remain on their use-this list until the Sun goes dark. The only viable alternatives found here, so far, are to either block all email for that userid, or to replace that userid with another. The choice depends on the volume of junk received. But the junk will not go away.


----------



## sobeit (Nov 11, 2007)

grue155 said:


> In my experience, once spammers start using an email address, it will remain on their use-this list until the Sun goes dark. The only viable alternatives found here, so far, are to either block all email for that userid, or to replace that userid with another. The choice depends on the volume of junk received. But the junk will not go away.


Its been my experience that they eventually move on to other accounts. I could not tell you the number of times its has happened to me with all the different email accounts I have. I would get them a few days to a week then it would come to a stop. 

Yes you can block it using the rules or indicate that its spam but would also block valid returns. Its a choice.


----------



## 22moondune (Aug 2, 2008)

Thanks for the help everyone. I think I might have figured out the error. The user that reported this sent me the email, but the attachments had been stripped at that point. I got into his computer to see and opened the attachment. (I thoroughly scanned it with anti-virus software before this) We run Symantec at the office, but I assume a virus would have been caught in our Spam filter if that was the case. Anyway, in the attachment, I think it was the original email sent from Absolutely Health Care [[email protected]]. I ended up unsubscribing the user from a mailing list. I'm pretty sure that this fixed the problem, but only time will tell. Again, thanks for your help everyone. : )


----------

