Outlook Forum Top Contributors:

Don Varnau - Stefan Blom - Hal Hostetler - MVP-Outlook - NoOneCan - Ron6576 ✅

Contribute to the Outlook forum!

Click here to learn more 💡

Hello! Are you trying to recover or access your Microsoft Account?

Please keep in mind that the Microsoft account recovery process is automated, so neither Community users, Microsoft moderators, nor Microsoft live support will be able to assist in the process. We recommend checking out the following resources for help in regaining access to your account:

· I can't sign in to my Microsoft account - Microsoft Support

· Help with the Microsoft account recovery form - Microsoft Support

· How to recover a hacked or compromised Microsoft account - Microsoft Support

Ask a new question

ClintHall- [O365]

Email received from the postmaster of my Office 365 domain regarding spam I didn't send

I recently received a message from my domain's postmaster (message and header info below) regarding a message I never sent. I am confident my workstation does not have malware installed and I have a properly written SPF record. I have no idea who this person is and I am the only account in my Exchange environment.

I am attempt to find more information on how to trace this issue down. I analyzed the header in Microsoft's message analyzer and it appears to have actually come from Office 365 and yet my mail trace in hosted Exchange shows no mail sent to this address.

Specifically, i would like to trace down what account was thought to have sent the original message that the postmaster blocked. I am the only account here I and I know I didn't send anything:

This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.

--- Additional Information ---

Subject: Re: unpaid windstream.net invoice

Sender: [Removed by moderator]

Time received: 10/8/2015 5:55:52 PM

Message ID: <*** Email address is removed for privacy ***> Detections found:

invoice_cam.doc W32/Upatre.BL.gen!Eldorado

HEADER:

Received: from BY2PR06MB1878.namprd06.prod.outlook.com (10.163.33.156) by
SN1PR06MB1886.namprd06.prod.outlook.com (10.162.133.30) with Microsoft SMTP
Server (TLS) id 15.1.293.16 via Mailbox Transport; Thu, 8 Oct 2015 17:55:53
+0000
Received: from SmtpServer.Submit by BY2PR06MB1878 with Microsoft SMTP Server
id 15.1.286.20; Thu, 8 Oct 2015 17:55:53 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
From: Postmaster <*** Email address is removed for privacy ***>
To: <[Removed by moderator]>
Subject: Undeliverable message
Content-Transfer-Encoding: quoted-printable
Message-ID: <*** Email address is removed for privacy ***>
Return-Path: *** Email address is removed for privacy ***
Date: Thu, 8 Oct 2015 17:55:53 +0000
X-MS-Exchange-Organization-Network-Message-Id: 026a5e0b-41a1-4f4c-3242-08d2d009b578
X-MS-Exchange-Organization-AuthSource: BY2PR06MB1878.namprd06.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 05
X-MS-Exchange-Parent-Message-Id: <*** Email address is removed for privacy ***>
Auto-Submitted: auto-generated
X-MS-Exchange-Generated-Message-Source: Malware Agent
X-MS-Exchange-Organization-AVStamp-Service: 1.0
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(520078)(8121501046)(3002001);SRVR:BY2PR06MB1878;BCL:0;PCL:0;RULEID:;SRVR:BY2PR06MB1878;
X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:BY2PR06MB1878;H:;FPR:;SPF:None;LANG:en;
X-MS-Exchange-Organization-SCL: -1
SpamDiagnosticOutput: 1:0
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Oct 2015 17:55:53.0497 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR06MB1878
X-MS-Exchange-Organization-MessageDirectionality: Originating
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.8361431
X-Microsoft-Exchange-Diagnostics:
   1;BY2PR06MB1878;25:j2Ax76On8eewuYotw4OoEN675bmm6+VkTA/S2Udnec/f5SW+EgfRZNeD0zeHGNj6AJ3uT3yJSEJ21qJJMMv4SaHhrxLSGhZiaM6R+1SbxoiP7dYzGJOFQRrBOpVw7nk73RoddeuffiajZWNF6fWQ0QfV5Hi5JLL/RBzekhL0roNT+oerJ77rLdPcE9oybarPXx4ybSFbb9QLz21KC5TW79JcNkv72zNKRkl51irqFyl+PeTvoDzp97QKoaAJN/u7Puptfz7y/SBpXlkrjL5nEQ==;4:puDa+k/1IBDm1Ervm9F63wtJSsJLSkSelkGB2HByIifK8nyNWPeQhMKqmZpNZsRXmA6At1fr1Zg8OyDVmivgPFvcg00qhhpJ1RQhCnj0ceuXlQ9Pys7j60/M6PmszS5W1TeWNjm5i/4g5/8wFWlVYazUgNvqd6wxc+9vTk8Fzr0qAEmU6BoRr3qqsl8XqKykSOQ38sR/umwzYl5iLSnRR5i3LlJ71GMr5xtazBis6NfCJSkD13gwbaW6z/oQJxH8zVd90Bjo4efJT7kL0rMJ1coPxFKjhwEpc7omLjV/zRF8+fF4cDZAudXeJYESl7HXpSL2w/tZnWR8MDrXv8x3Sg==;23:EA14nq6BoqgzGLMbnqbUmcNVj6L9xdoJ3ViSUn7+69ZdN3llDUW+nKF4CrCLIond2vW4B+4E30PWqpJt7pwNsYZcR0NpB1GdWWV3ryTE9SPhwKWhIz2uaJTthZ8LWXkYN5m55bTKrP5tIkncPpdxYZ5gi8UIC42IrHpHl2VlPDPojZ1PcLLodr8LxrTcaDUB
X-Microsoft-Exchange-Diagnostics:
   1;BY2PR06MB1878;5:os8Mb6pn9W0loGmTzH6zLtfbYGUG9UjaLZow2jTqwwSN4JSfIZ+4EPtowWdiN7ccszCluj0OOiecZwqoQeZ/JO1hEljuznUeb+Jsy+eowhjtBQmXmAt0Iej63NFqAfNECIUkKTv9zu3T5PBBokyGlQ==;24:9BrUx6Pk3v+jkhFlhi0ntNvlfQJ/BS9AVZoeXpHNpxnPIgeQGLiVePxCbXVWO7Gql55d/aTvHpg/8RJqVujISrc45WyabX1C4FNEgqiYCiU=;20:ZEVhfvGDzZWFZUZpSPMhzRed+j6rH9Lz3wVtUs2wLTvkFFs4Y3gLvVmEJyGijELYS7KpgQ9MeHqewF7AazHFlg==
X-Microsoft-Exchange-Diagnostics:
   1;SN1PR06MB1886;9:CDkPhDZ9R8BRKDl3O9YQu7uiFJezrjy/9N5k1EnLXN0CIexT+9LoWI6gJ5SO0ryCSHZgNS6WdLOnLrFzmxsZtn3t6r8KrH8XSI/E+rT8UTUB0Y/TRjpXq+np/c6QRD1s

This thread is locked. You can vote as helpful, but you cannot reply or subscribe to this thread.

Replies (4)

YangZheng_MSFT6300

Moderator

Hi ClintHall,

According to the undeliverable message you provide, you got a phishing attack. Someone else are using your email address to send emails containing malware. The fake senders are outside your company and they spoof a non-valid email address from your domain. For those SMTP emails service, there is a possibility for others to phish your email account due to some personal information let out. And these emails will not be traced in the message trace report.

These emails comprised of malware are detected by Exchange Online anti-malware protection. If malware is detected in the message body, the entire message, including all attachments, will be deleted immediately. This action is applied to both inbound and outbound messages. The recipient will receive a notification message (if configured) like yours: "This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected."

Your understanding is highly appreciated.

Regards,
Yang

1 person found this reply helpful

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

ClintHall- [O365]

Wouldn't my published SPF record for my domain signify my authorized mail servers so as to not allow another to spoof an account under my domain? Or are you saying they sent this message and then forged the return address and put mine in instead of the actual?

Anyone can spoof a domain and its up to the receiving mail server to respect the spf record or not. I just don't understand how this was caught by the outbound filter of my server. A spoofed domain message would simply be a non delivery report as spam sent back to me from the receiver's mail server, not by my own as it never should have been processed by my server at all.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

GaryZhu_MSFT3613

Hi Clint

Like what you mentioned, it is correct that a spoofed domain message would be a non-delivery report as spam sent back to you from the receiver’s mail server.
According to the header you provided (Received: from SmtpServer.Submit by BY2PR06MB1878 with Microsoft SMTP Server id 15.1.286.20; Thu, 8 Oct 2015 17:55:53 +0000), the message was first sent from SmtpServer.Submit, so I would like to know whether you are setting up the SMTP relay. If yes, what kind of SMTP relay mentioned in the following link do you use?

How to set up a multifunction device or application to send email using Office 365?

Regarding the message below:

Subject: Re: unpaid windstream.net invoice

Sender: [Removed by moderator]

Time received: 10/8/2015 5:55:52 PM

Message ID: <*** Email address is removed for privacy ***> Detections found:

invoice_cam.doc W32/Upatre.BL.gen!Eldorado

it doesn't seem to be a part of the bounced back message from postmaster. Therefore, can you let us know where you got this?

Thanks,
Gary Zhu

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

GaryZhu_MSFT3613

Hi Clint,

Have you checked the information above? Got any updates on the issue?

Thanks,
Gary Zhu

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Question Info

Last updated April 16, 2024 Views 16,283 Applies to:

Email received from the postmaster of my Office 365 domain regarding spam I didn't send

Replies (4) 

Question Info

Replies (4)