[thelist] Returned mail that did not originate at our organization

Chris W. Parker cparker at swatgear.com
Tue Nov 19 11:37:01 CST 2002


hello everyone.

the issue i'm having is that of returned mail that did not originate
from within our organization. what will happen is that periodically a
user will get a returned mail notice from a remote system stating that
an email they sent could not be delivered. the problem is that these
emails did not actually come from the accused sender.

to make it a litle more clear, i'll create an illustration. a few
minutes ago i was sent an email from another using saying "I did not
send this email!". the subject of the email was "Returned mail--"Mar 13
2002 12". the body of that email message read...

--
From: ourUser at ourDomain.com
To: aDifferentUser at aol.com
Subject: Mar 13 2002 12
The file is the original mail
--

this however did not come from us. more accurately i should say, i'd
like to know how i can verify without a doubt (or as close as possible)
that this email did indeed not originate from within our servers
somewhere. all our servers are patched and use norton anti-virus. and as
far as i've able to verify there are no open relays on the two smtp
servers. those two servers being a website and an exchange 2000 box. the
web server is not apart of the domain. it is a lone box.

what i think is happening is that this email was sent by some infected
computer which also happened to have one of our email addresses
(ourUser at ourDomain.com). when the virus sent the email it replaced any
sort of legitimate return address with a random address which just so
happened to be ourUser at ourDomain.com. therefore when the end system AOL
received the email it assumed it was sent from us because of the fake
return address.

i hope this is true and it makes sense that it might be, but my boss
doesn't really want to accept this simple answer.

i'm at a bit of a loss as to how i can rule out our servers as possible
sources. 1. do we have open relays? no. 2. do we have a virus? according
to norton, no. 3. what else is there? i'm not sure.


thanks a lot for your help.

chris.




More information about the thelist mailing list