Question : Cell phone spam or something!

Hi,
We keep getting tons of these e-mails pouring into one of our mailboxes all of a sudden (see below).  I have performed the open relay test on our Exchange 2003 SP2 server and we are NOT an open relay.  I cannot understand what is happening.  I have checked event logs and I am receiving lots of event id 7004 and 3022.  Does anyone have any idea what is causing this and how to stop it?  We are currently running GFI Mail Essentials which usually does a great job.  Thanks in advance!

The e-mail we receive...

From: System Administrator
Sent: Thursday, March 20, 2008 12:17 PM
To: [email protected]ar.net
Subject: Undeliverable: offer
Your message did not reach some or all of the intended recipients.
      Subject:  offer
      Sent:     3/20/2008 11:45 AM
The following recipient(s) could not be reached:
      [email protected]ar.net on 3/20/2008 12:17 PM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            lar.net>>

event id 3022...

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      NDR
Event ID:      3022
Date:            3/19/2008
Time:            5:22:26 PM
User:            N/A
Computer:      ABSEMAIL
Description:
A non-delivery report with a status code of 5.5.0 was generated for recipient rfc822;[email protected]ycingular.net (Message-ID [email protected]s-sca.com>).  
Cause:  This message indicates a generic protocol error (SMTP error).  For example, the remote SMTP responds to an issued EHLO with a 500 level error and the sending system will QUIT the connection and report this with NDR indicating the remote SMTP server canÆt handle the protocol.    
Solution:  View the SMTP log or run a netmon trace to see why the remote SMTP server rejects the protocol request.

event id 7004...

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            3/19/2008
Time:            5:22:21 PM
User:            N/A
Computer:      ABSEMAIL
Description:
This is an SMTP protocol error log for virtual server ID 1, connection #3581. The remote host "66.102.165.114", responded to the SMTP command "rcpt" with "550 Invalid recipient: <[email protected]lar.net>  ". The full command sent was "RCPT TO:<[email protected]ngular.net>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

Answer : Cell phone spam or something!

Being an open relay will probably not result in a lot of incoming mails as NDRs typically go to the address entered as "FROM", not to the relaying server.

This looks like a case of NDR spam, insofar as I suspect that a spammer has decided to enter an address in your domain as the "FROM" address in their spam messages, and any NDRs that are created at the receiving domains will go to the purported sender > you. Bad luck...
/RID
Random Solutions  
 
programming4us programming4us