Virus or SPAM?????

[nucince]

Im looking for adivice on the folowing:

I am receiving large ammounts of NDR messages, mainly from .ru sites to our [email protected]

I have run a full AV scan on the PC turned off System restore.
Is this SPAM from ourside out network, or virus activity from within our network?
I have also checked the exchange logs, not going through the exchange server, or through our own relay server (headers and footers)


I have attached the header from the mail below..
I have replaced the domainame with ourdomain





This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

[email protected]

----- Original message -----

Received: by 10.142.144.16 with SMTP id r16mr2500993wfd.195.1207581718916;
Mon, 07 Apr 2008 08:21:58 -0700 (PDT)
Return-Path: <[email protected]>
Received: from 121.27.52.50 ([121.27.52.50])
by mx.google.com with ESMTP id 32si15177520wri.0.2008.04.07.08.21.57;
Mon, 07 Apr 2008 08:21:58 -0700 (PDT)
Received-SPF: neutral (google.com: 121.27.52.50 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=121.27.52.50;
Authentication-Results: mx.google.com; spf=neutral (google.com: 121.27.52.50 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Message-ID: <000701c898c3$07db3356$c64fa9ac@nyfvjhxq>
From: "Cartier Replica" <[email protected]>
To: "Replica Watches" <[email protected]>
Subject: Sharp, professional and honest
Date: Mon, 07 Apr 2008 13:34:22 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C898C3.07D8269B"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

------=_NextPart_000_0004_01C898C3.07D8269B
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

NEW WATCH SHOP!
The time is NOW to get YOUR replica watches that are famous around the =
world.=20

----- Message truncated -----

 

[JQ444]

I have the same problem, used to get 3 or so messages from them a day now it's about 30 every hour and some of them show from me to me (my mail details appear as the sender so i cannot block the sender)
Please give me advice on this. I'm not a technical expert and telkom doesn't give me support either.
Thanks

here's one of them:

*************
Return-Path: <[email protected]>
Delivered-To: telkomsa_net-xxxxxxtelkomsa.net
Received: (qmail 4234 invoked from network); 18 Apr 2008 06:32:09 -0000
Received: from unknown (HELO ppp-124-121-149-41.revip2.asianet.co.th) ([124.121.149.41])
(envelope-sender <[email protected]>)
by O (qmail-ldap-1.03) with SMTP
for <[email protected]>; 18 Apr 2008 06:32:08 -0000
Message-ID: <001901c8a08f$8f432950$002bf314@amity2b9239777>
From: "Karen Gamble" <[email protected]>
To: "xxxxxx" <[email protected]>
Subject: I do not want to buy their shops unknown in the stores?
Date: Thu, 17 Apr 2008 13:33:02 +0430
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0016_01C8A08F.8F432950"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2963
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2963

 

[ambo]

This is usually referred to as back-scatter or JoeJob and it is as a result of the ease with which you can forge the from address in an email. I order to stop this you need to implement SPF on your the domain.

If it is your own domain then this should be easy. If you are using an ISP's domain (ie telkomsa) then you will have to appeal to the postmasters to implement it on their domain.

There are already a number of big domains including gmail and the local banks that have spf implemented. It really makes a huge difference to the amount of back-scatter you receive. I haven't got a forged delivery failure on my domains for about a year now.