VERY weird looping/tracking issue

VERY weird looping/tracking issue

Post by Corbin Mee » Wed, 17 Dec 2003 05:52:16


I've just seen one of the strangest tracking logs. We have a few users
complaining of receiving the same message with an attachment multiple times.
When I tracked the message sure enough it appeared to have caused a loop
condition where it would traverse our routing topology multiple times. In
the tracking history we noticed some VERY weird host names . . . it went
something like this:

[servername]
[servername]
[servername]
[servername]
emu
[servername]
[servername]
cockatoo
[servername]
[servername]
vulture
[servername]
[servername]
[servername]
[servername]
robin

I've never seen anything like this . . . mail was routing to hosts named
after these birds, I swear! Of course the hosts weren't routable, we could
find no evidence of virus activity, needless to say there was no tracking
information available on those hosts.

Anybody seen this???
 
 
 

VERY weird looping/tracking issue

Post by Roger Math » Sun, 29 Feb 2004 04:14:06

I am finding these same host names in my tracking. Did you ever find the
problem?






times.
could

 
 
 

VERY weird looping/tracking issue

Post by Matt Kuzio » Sun, 29 Feb 2004 05:02:38

Message tracking uses messageIDs as the key for correlating message tracking
events. It also correlates any NDRs related to the message that you are
tracking. Compliant email programs generate a globally unique ID for each
new message.

In the case of spam, the message ID is often spoofed. The senders are
usually using a cookie cutter type message in which they modify the
recipient list and nothing else. When several of these messages enter your
mail system, message tracking thinks that they are all the same message, due
to the duplicate MessageIDs, and displays the entire result list. This makes
the route look rather confusing because it is actually information from
several messages.

The return address is also spoofed so when these spam messages NDR, Exchange
attempts to deliver them to the invalid host specified in the "MAIL FROM"
command by the spammer. This is where the strange host names are coming
from.

--
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.

This posting is provided "AS IS" with no warranties, and confers no rights.






In
tracking