Very strange exchange issue - random double emails

[freedomit]

The Director of one of our clients is getting some double emails in his inbox mainly from spam providers. The client runs a fully patched SBS2011 server, the issue started earlier this year but then went away by itself and has resurfaced, rebooting the server doesn't fix it.

Looking at the SMTP receive logs every email he receives double of is also sent to an ex employee, however there account and email alias no longer exists, if i send an email to that email it bounces.

The SMTP log is below...

,2,192.168.44.2:25,38.99.252.6:57475,>,"220 mail.companydomain.co.uk Microsoft ESMTP MAIL Service ready at Fri, 4 Nov 2016 16:45:21 +0000",
,3,192.168.44.2:25,38.99.252.6:57475,<,EHLO ardourcraft.com,
,4,192.168.44.2:25,38.99.252.6:57475,>,250-mail.companydomain.co.uk Hello [38.99.252.6],
,5,192.168.44.2:25,38.99.252.6:57475,>,250-SIZE 52428800,
,6,192.168.44.2:25,38.99.252.6:57475,>,250-PIPELINING,
,7,192.168.44.2:25,38.99.252.6:57475,>,250-DSN,
,8,192.168.44.2:25,38.99.252.6:57475,>,250-ENHANCEDSTATUSCODES,
,9,192.168.44.2:25,38.99.252.6:57475,>,250-STARTTLS,
,10,192.168.44.2:25,38.99.252.6:57475,>,250-AUTH,
,11,192.168.44.2:25,38.99.252.6:57475,>,250-8BITMIME,
,12,192.168.44.2:25,38.99.252.6:57475,>,250-BINARYMIME,
,13,192.168.44.2:25,38.99.252.6:57475,>,250 CHUNKING,
,14,192.168.44.2:25,38.99.252.6:57475,<,MAIL FROM:<rachel.roman@ardourcraft.com> BODY=7BIT RET=HDRS,
,15,192.168.44.2:25,38.99.252.6:57475,*,08D40238A1A07BDF;2016-11-04T16:45:21.760Z;1,receiving message
,16,192.168.44.2:25,38.99.252.6:57475,<,RCPT TO:<john@companydomain.co.uk> NOTIFY=FAILURE,
,17,192.168.44.2:25,38.99.252.6:57475,>,250 2.1.0 Sender OK,
,18,192.168.44.2:25,38.99.252.6:57475,>,250 2.1.5 Recipient OK,
,19,192.168.44.2:25,38.99.252.6:57475,<,BDAT 8199,
,20,192.168.44.2:25,38.99.252.6:57475,*,Tarpit for '0.00:00:05',
,21,192.168.44.2:25,38.99.252.6:57475,>,"250 2.6.0 CHUNK received OK, 8199 octets",
,22,192.168.44.2:25,38.99.252.6:57475,<,BDAT 6339 LAST,
,23,192.168.44.2:25,38.99.252.6:57475,*,Tarpit for '0.00:00:01.592' due to 'DelayedAck',Delivered
,24,192.168.44.2:25,38.99.252.6:57475,>,250 2.6.0 <5689.24117001435.50353816009@smtp1.ardourcraft.com> [InternalId=3380387] Queued mail for delivery,
,25,192.168.44.2:25,38.99.252.6:57475,<,MAIL FROM:<rachel.roman@ardourcraft.com> BODY=7BIT RET=HDRS,
,26,192.168.44.2:25,38.99.252.6:57475,*,08D40238A1A07BDF;2016-11-04T16:45:21.760Z;2,receiving message
,27,192.168.44.2:25,38.99.252.6:57475,<,RCPT TO:<steve@companydomain.co.uk> NOTIFY=FAILURE,
,28,192.168.44.2:25,38.99.252.6:57475,*,Tarpit for '0.00:00:05',
,29,192.168.44.2:25,38.99.252.6:57475,>,250 2.1.0 Sender OK,
,30,192.168.44.2:25,38.99.252.6:57475,>,550 5.1.1 User unknown,

You can see the message is sent to John@ (the Director) and also Steve@ (the ex staff member) but john@ receives two copies. Every message that John receives two copies of is also sent to Steve?? There are no transport rules setup on Exchange and no rules in spam filter (Sophos PureMessage).

Looking at the message properties i can see a slight difference in the two messages but nothing points to the issue...

Received: from ardourcraft.com (38.99.252.6) by mail.companydomain.co.uk
(192.168.44.2) with Microsoft SMTP Server id 14.3.319.2; Fri, 4 Nov 2016
16:48:05 +0000
Date: Fri, 4 Nov 2016 12:43:56 -0400
MIME-Version: 1
Content-Type: text/html; charset="UTF-8"
To: <john@companydomain.co.uk>
Subject: Are you sure you're getting the best deal on cable/net services? New offers have incredible packages.
Reply-To: Rachel Roman <rachel.roman@ardourcraft.com>
Content-Transfer-Encoding: quoted-printable
From: Rachel Roman <rachel.roman@ardourcraft.com>
Message-ID: <5689.23925374435.157538236009@smtp1.ardourcraft.com>
Return-Path: rachel.roman@ardourcraft.com
X-MS-Exchange-Organization-AuthSource: SERVER.ukpro.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: Sophos;-1157447678;0;PM
X-PMWin-SpamScore: 12


Received: from ardourcraft.com (38.99.252.6) by mail.companydomain.co.uk
(192.168.44.2) with Microsoft SMTP Server id 14.3.319.2; Fri, 4 Nov 2016
16:45:22 +0000
Date: Fri, 4 Nov 2016 12:43:59 -0400
Subject: Are you sure you're getting the best deal on cable/net services? New offers have incredible packages.
Message-ID: <5689.24117001435.50353816009@smtp1.ardourcraft.com>
From: Rachel Roman <rachel.roman@ardourcraft.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1
Content-Type: text/html; charset="UTF-8"
To: <john@companydomain.co.uk>
Reply-To: Rachel Roman <rachel.roman@ardourcraft.com>
Return-Path: rachel.roman@ardourcraft.com
X-MS-Exchange-Organization-AuthSource: SERVER.ukpro.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AVStamp-Mailbox: Sophos;-1157447678;0;PM
X-PMWin-SpamScore: 12

Any ideas?

 

[TurricanII]

The emails were received three minutes apart and have different message ID's. Yo only include the log files for one of the message ID's (5689.24117001435.50353816009@smtp1.ardourcraft.com). Do the SMTP logs show the email being delivered successfully to your SBS server twice? They probably do and we need to see the other log entries relating to the other message ID (5689.23925374435.157538236009@smtp1.ardourcraft.com) in order to see if the email is simply being sent twice to the same address.

If the other SMTP log entries show the email as being sent to another address then that other address is being forwarded to the director on SBS or the other email address is an alias on the email addresses tab in Exchange.

 

[Markverhyden]

Looking at the SMTP receive logs every email he receives double of is also sent to an ex employee, however there account and email alias no longer exists, if i send an email to that email it bounces.

Any ideas?

This part sounds like some kind of filtering rule was setup. Just because the email bounced does not mean there was not a rule to have a copy forwarded, etc.

 

[freedomit]

The emails were received three minutes apart and have different message ID's. Yo only include the log files for one of the message ID's (5689.24117001435.50353816009@smtp1.ardourcraft.com). Do the SMTP logs show the email being delivered successfully to your SBS server twice? They probably do and we need to see the other log entries relating to the other message ID (5689.23925374435.157538236009@smtp1.ardourcraft.com) in order to see if the email is simply being sent twice to the same address.

If the other SMTP log entries show the email as being sent to another address then that other address is being forwarded to the director on SBS or the other email address is an alias on the email addresses tab in Exchange.

I have looked at some further examples in the logs and the server is receiving the emails twice to each email address.

Whats strange is that the issue of receiving emails twice only seems to happen to emails sent to John and our former employee Steve, both are sent two copies and nobody else in the company does. Considering the company has 60 users its a strange coincidence? Maybe they somehow both made it onto a mailing list (twice) and the list keeps being passed around and reused?

 

[TurricanII]

In any event I'd be looking to tweak Sophos put a SPAM filter in place such as Max Mail so that inbound email is routed in via that service. Then you might get NO spam instead of 2 x spam!

The IP address that sent the email is now on many blacklists. I would double check that exchange or whatever is doing your spam filtering has been configured with a couple of good DNS blacklists.

Delivering the same email twice might simply be an attempt by spammers to get around greylisting.

 

[freedomit]

In any event I'd be looking to tweak Sophos put a SPAM filter in place such as Max Mail so that inbound email is routed in via that service. Then you might get NO spam instead of 2 x spam!

The IP address that sent the email is now on many blacklists. I would double check that exchange or whatever is doing your spam filtering has been configured with a couple of good DNS blacklists.

Delivering the same email twice might simply be an attempt by spammers to get around greylisting.

Thanks for advice

We resell MaxMail to most of our clients it's just this client has a Sophos Puressage licence so they don't want to pay for another solution. What I might do is setup this user only on MaxMail and set it to deliver all emails even if user doesn't exist, that way they can still use PureMessage for all other users.

The Exchange server is configured to use two different blacklists but these probably got through before the IP hit the blacklist.