undeliverable mail... stumped

[mmartinez]

We are using Outlook 2003 w/ exchange 2003 latest patches.. I have a guy that started receiving undeliverable messages with titles advertising rolex's and the usual sexual enhancement drugs. I have scanned the machine with Avg Anti-Spyware, spybot, rouge remover, malwarbytes anti-malware, norton corp 10. None of these have turned up anything.

here is one of the messages:

From: System AdministratorSent: Monday, April 07, 2008 12:25 AMTo: cnying.pd.jaring.my@mbox.jaring.mySubject: Undeliverable: ***SPAM*** Rolex
Your message did not reach some or all of the intended recipients.
	  Subject:  ***SPAM*** Rolex
	  Sent:	 4/6/2008 10:36 PM
The following recipient(s) could not be reached:
	  cnying.pd.jaring.my@mbox.jaring.my on 4/7/2008 12:24 AM
			The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
			< mx9.jaring.my #5.0.0 X-Unix; 79>

Anyone have any ideas?

Thanks.

[AdvancedSetup]

Well you would need to review the header information of the message and check on the dates.

It could be that at one time the machine was infected and mail sat at some remote mail server that was offline for a while.

Maybe also try checking or deleting the users N2K file for Outlook.

NK2View v1.21 - View/Delete/Edit Outlook .NK2 AutoComplete Information

Copyright © 2007 - 2008 Nir Sofer

NK2View v1.21

You could also try deleting the temporary files in case some new variant is on the system not being detected.

• Follow these instructions carefully.
• Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.
  
• You can also download it from Majorgeeks.com
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
• NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
• Then click on "Empty Selected".
  

.

Then maybe try a NOD32 scan using Internet Explorer. They often have a much higher success rate on scans than Symantec AV

• Run an online scan with Eset from http://www.eset.com/onlinescan
• You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
  
• Accept the terms and click "Start".
  
• Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
  
• Click "Start" to begin the scan.
  
• When completed restart your computer
  

.

[mmartinez]

I will give your tool a shot tomorrow. He's still receiving these messages 100-300 a day.

[AdvancedSetup]

Well then if he's GETTING these files I doubt the above will help. There appears to be something else going on there.

If you look at the HEADER (the real information about the message information) though it should have more relevant information on where/how the mail is coming/going to back and forth.

Also check his/her RULES - probably also not the issue but doesn't hurt to look.

Sounds more like he's on some SPAM mail list and he just needs to filter it out.

[mmartinez]

Alright sir. I've ran ATF and I have a message headers for you. NOTE: he said he didn't have any in his inbox this morning, this is from yesterday.

Microsoft Mail Internet Headers Version 2.0

X-Ninja-PIM: Scanned by Ninja

X-Ninja-AttachmentFiltering: Policy 3 - no action (inbound)

Received: from kv49fw.kvpfalz.de ([213.183.78.150]) by mail.rdi3.com with Microsoft SMTPSVC(6.0.3790.3959);

Thu, 10 Apr 2008 05:30:00 -0500

Received: by kv49fw.kvpfalz.de (Postfix)

id 04557A26C88; Thu, 10 Apr 2008 08:45:05 +0200 (CEST)

Date: Thu, 10 Apr 2008 08:45:05 +0200 (CEST)

From: MAILER-DAEMON@kvpfalz.de (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

To: shamilton@rdindustries.com

MIME-Version: 1.0

Content-Type: multipart/report;

boundary="90B14A4844E.1207809905/kv49fw.kvpfalz.de";

report-type="delivery-status"

Message-Id: <20080410064505.04557A26C88@kv49fw.kvpfalz.de>

Return-Path: <>

X-OriginalArrivalTime: 10 Apr 2008 10:30:01.0274 (UTC) FILETIME=[D51669A0:01C89AF5]

--90B14A4844E.1207809905/kv49fw.kvpfalz.de

Content-Description: Notification

Content-Type: text/plain

--90B14A4844E.1207809905/kv49fw.kvpfalz.de

Content-Description: Delivery error report

Content-Type: message/delivery-status

Content-Disposition: attachment

--90B14A4844E.1207809905/kv49fw.kvpfalz.de

Content-Description: Undelivered Message

Content-Type: message/rfc822

Content-Disposition: attachment

Received: from 118.78.3.30 (unknown [118.78.3.30])

by kv49fw.kvpfalz.de (Postfix) with ESMTP id 90B14A4844E

for <monika.trostnn@kvpfalz.de>; Wed, 9 Apr 2008 13:01:09 +0200 (CEST)

Message-ID: <000601c89a3d$05bd53f3$9ec2a3b9@aovkwrhl>

From: "johnathan dorit" <shamilton@rdindustries.com>

To: <monika.trostnn@kvpfalz.de>

Subject: High-quality replicas of the best clock of the world!! Suggestion for shamilton!!

Date: Wed, 09 Apr 2008 10:42:11 +0000

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0003_01C89A3D.05B73DE7"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.3138

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

------=_NextPart_000_0003_01C89A3D.05B73DE7

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0003_01C89A3D.05B73DE7

Content-Type: text/html;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0003_01C89A3D.05B73DE7--

--90B14A4844E.1207809905/kv49fw.kvpfalz.de

[mmartinez]

here is another one... this line in particular caught my eye: "Received: from localhost (localhost)"

Microsoft Mail Internet Headers Version 2.0
X-Ninja-PIM: Scanned by Ninja
X-Ninja-AttachmentFiltering: Policy 3 - no action (inbound)
Received: from ns1.nic.ag ([66.101.197.226]) by mail.rdi3.com with Microsoft SMTPSVC(6.0.3790.3959);
			 Wed, 9 Apr 2008 18:14:04 -0500
Received: from localhost (localhost)
			by ns1.nic.ag (8.11.6/8.11.6) id m39MJbG21811;
			Wed, 9 Apr 2008 18:54:03 -0400
Date: Wed, 9 Apr 2008 18:54:03 -0400
From: Mail Delivery Subsystem <MAILER-DAEMON@ns1.nic.ag>
Message-Id: <200804092254.m39MJbG21811@ns1.nic.ag>
To: <shamilton@rdindustries.com>
MIME-Version: 1.0
Content-Type: multipart/report;
			 boundary="m39MJbG21811.1207781643/ns1.nic.ag";
			 report-type="delivery-status"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Return-Path: <>
X-OriginalArrivalTime: 09 Apr 2008 23:14:04.0230 (UTC) FILETIME=[67349E60:01C89A97]

--m39MJbG21811.1207781643/ns1.nic.ag

--m39MJbG21811.1207781643/ns1.nic.ag
Content-Type: message/delivery-status
Content-Disposition: attachment

--m39MJbG21811.1207781643/ns1.nic.ag
Content-Type: message/rfc822
Content-Disposition: attachment

Return-Path: <shamilton@rdindustries.com>
Received: from 166.180.196-77.rev.gaoland.net (166.180.196-77.rev.gaoland.net [77.196.180.166] (may be forged))
			by www.nic.ag (8.11.6/8.11.6) with ESMTP id m39GfkA13192
			for <registrarsd@nic.ag>; Wed, 9 Apr 2008 12:41:46 -0400
Message-ID: <000501c89a63$043eddee$8f37b0a5@wlpfarkr>
From: "Exceptional Watches" <shamilton@rdindustries.com>
To: "Rolex Replica" <registrarsd@nic.ag>
Subject: Tag Heuer Watches
Date: Wed, 09 Apr 2008 15:12:29 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
			boundary="----=_NextPart_000_0002_01C89A63.043BA230"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

------=_NextPart_000_0002_01C89A63.043BA230
Content-Type: text/plain;
			charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0002_01C89A63.043BA230
Content-Type: text/html;
			charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0002_01C89A63.043BA230--

--m39MJbG21811.1207781643/ns1.nic.ag--

[AdvancedSetup]

Well to me these just look like SPAM messages that he is getting. It does not look like he actually sent mail.

Let us know if he continues to get a high volume of messages, but I would think that it was just a mishap and hopefully now the user won't have the issue after you've cleaned it up and rebooted the system.

If he does continue to get a lot of SPAM then you might want to look at some type of filtering software to help combat it.

[mmartinez]

He got one an hour or so after I did the cleanup on his machine. As you can see by the header we have spamassassin running on the server. Does anyone else have a second opinion?

[RubbeR DuckY]

If the volume continues, I would strongly suggest changing e-mail addresses or installing a higher powered spam filter.

[YoKenny1]

Well then if he's GETTING these files I doubt the above will help. There appears to be something else going on there.

If you look at the HEADER (the real information about the message information) though it should have more relevant information on where/how the mail is coming/going to back and forth.

Also check his/her RULES - probably also not the issue but doesn't hurt to look.

Sounds more like he's on some SPAM mail list and he just needs to filter it out.

I want to point out that SPAM is a registered trademark of Hormel Foods, LLC.