« Why is bad WIFI encryption still being used?
Twitter used for recruiting Hacktivists »

Strange e-mail originating from exchange server

Today a friend asked me to look at something strange he found in his logs.
To better understand the situation, I’ll describe his network setup:

He runs a linux server with postfix, spamassassin and clamav antivirus which removes all spam and virusses received from the internet. All legitimate e-mail is then routed to his exchange server. E-mail that is sent by users on his network is relayed back to the linux server and then sent to the destination.

Last week he was checking his mail logs on his linux machine and he noticed his box was receiving e-mail from strange e-mail addresses. He figured: Well, no surprise there: Probably spam messages. Until he looked at the ip address from which it originated: It was the ip address of his own exchange server. First thing he did was doing a full virusscan of his exchange server. Nothing. He tried some spyware scanners, but again: Nothing. So he called me.

First thing I suspected was a malicious client in his network which used his exchange server to relay the spam through. So I configured exchange to only accept SMTP messages from his Linux box. But after a few minutes the logs showed again messages to strange e-mail addresses originated from his exchange box.
I looked again at the logs, and noticed just a few messages per hour where sent. If a malicious program was sending it, it probably had sent over thousand an hour. Then I tried searching the e-mail address in the log. It pop upped a few minutes earlier in that same log. Then I noticed the e-mail address it was sent to, and it hit me: The e-mail address did not exist on the exchange server.
What had happened was that the linux server had forwarded the spam messages blindly to the exchange server. The exchange server looked up the recipient but did not find it. So it generated a notification for the sender that the recipient did not exist and send it to the Linux server. The linux server sent it to the “sender”, allthough it probably was not the real sender. :-)

So don’t freak out if you see a few e-mails originated by your exchange server to strange e-mail addresses. It could be normal behaviour!

Tags:

This entry was posted on Monday, June 8th, 2009 at 8:33 pm and is filed under E-Mail, Linux, Security, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.