Jump to content


Photo

Outgoing Spam w/ Empty Sender

Outgoing Empty Sender

  • Please log in to reply
2 replies to this topic

#1 Matt Blasco

Matt Blasco
  • Members
  • 1 posts

Posted 15 June 2016 - 10:25 AM

Hello all,

 

I am seeing what strikes me as a strange trend in outgoing mail in my organization.  I am new to Barracuda, so please bear with me.

 

I noticed in the Top Spam Senders report that our internal Exchange server is by far the top spam sender, but since the report only shows the source IP of the server, I began digging to see which user accounts the spam is actually coming from.

 

When I filtered the message log to show only messages that were not allowed or whitelisted and that had the source IP of our Exchange server, almost every single one (there are hundreds just in the past day) has nothing at all in the "From" column, the "Subject" column, or the "Size" column.  The majority of the destination addresses seem suspect as well (addresses like 1fd2d31a31dcc6@tryfury.net, info=screen-mail.com@mail64.us4.mcsv.net, etc.).  If I view the message details for any of these messages, the message, source, and bayesian data are all empty.  

 

I know that the outgoing messages are being blocked because of the empty sender, as the "Reason" column shows "Sender" for all messages and "Allow Empty Outbound Domain Names" is disabled under Advanced-->Email Protocol.  What I do not know is why the messages are being generated in the first place.

 

What do you all make of this, and what might you suggest as a next step toward getting to the bottom of the issue?

 

Thanks in advance.



#2 opjose

opjose
  • Members
  • 261 posts
  • LocationWashington D.C. Area

Posted 15 June 2016 - 12:51 PM

Is your Exchange server in the "Relay using Trusted IP/RANGE" list?

 

Do you have relaying via the Barracuda turned on? And if so are you using SMTP Auth or LDAP to verify senders?

 

When you double click on one of these messages in the Message Log what does the grey block at the top show? A picture would be helpful.



#3 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 409 posts

Posted 15 June 2016 - 03:25 PM

Matt,
 

Based on what you are saying it appears that you do not have either SMTP verification enabled on your Exchange server or LDAP verification enabled for your domain on the Barracuda.

Without SMTP verification enabled on your Exchange server it will accept mail for any user in your domain and then generate an NDR message back to the sender.

NDR messages do not have an Envelope from so that setting on your Barracuda is blocking this mail. This is actually a good thing as returning an NDR to the Header FROM address in email is called backscatter and can get your IP blacklisted.

I recommend that you have SMTP verification enabled on your mail server or LDAP verification enabled for your domain on the Barracuda.

If one of these is enabled and you are still seeing a large number of messages being blocked for empty sender then please call into Barracuda support so that a technician can assist you in troubleshooting this issue.

Sincerely,


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300