Receiving thousands of System Administrator messages in e-mail

We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our e-mail
clients in being swamped with thousands (47,000++ in the last 24 hours) of
messages purporting to come from the System Administrator.

The messages read;
"Your message did not reach some or all of the intended recipients.
Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250Ð? !
Sent: 25/03/2008 10:21
The following recipient(s) could not be reached:

tielgari@tim.it on 26/03/2008 10:32
There was a SMTP communication problem with the recipient's email server.
Please contact your system administrator.
<jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient: <tielgari@tim.it>> "

My question is how do we stop this mass e-mail attack? And how do we
prevent a reoccurance?

Jason
Wed Mar 26 05:08:01 PDT 2008

Sounds like someone is exploiting your exchange server relay.

First check your email Queues and I bet there are loads of emails there.
First thing I'd do while you invistigate is disable outbound mail from the Q
tab and get to work on fixing the problem:

The following link should help. Good luck.

"How to block open SMTP relaying and clean up Exchange Server SMTP queues in
Windows Small Business Server"

http://support.microsoft.com/kb/324958

"John Blackwell" wrote:

> We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our e-mail
> clients in being swamped with thousands (47,000++ in the last 24 hours) of
> messages purporting to come from the System Administrator.
>
> The messages read;
> "Your message did not reach some or all of the intended recipients.
> Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250Ð? !
> Sent: 25/03/2008 10:21
> The following recipient(s) could not be reached:
>
> tielgari@tim.it on 26/03/2008 10:32
> There was a SMTP communication problem with the recipient's email server.
> Please contact your system administrator.
> <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient: <tielgari@tim.it>> "
>
> My question is how do we stop this mass e-mail attack? And how do we
> prevent a reoccurance?

Brian
Wed Mar 26 05:16:45 PDT 2008

"John Blackwell" <JohnBlackwell@discussions.microsoft.com> wrote in message
news:F4A409F7-6289-4B8B-AABF-55A3CD279CD8@microsoft.com...
> We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our
> e-mail
> clients in being swamped with thousands (47,000++ in the last 24 hours) of
> messages purporting to come from the System Administrator.
>
> The messages read;
> "Your message did not reach some or all of the intended recipients.
> Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250? !
> Sent: 25/03/2008 10:21
> The following recipient(s) could not be reached:
>
> tielgari@tim.it on 26/03/2008 10:32
> There was a SMTP communication problem with the recipient's email server.
> Please contact your system administrator.
> <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient:
> <tielgari@tim.it>> "

I assume that your client hasn't sent out the emails that couldn't be
delivered? On that assumption then these emails are delivery failures for
spams that some low life has sent out, providing the email address of your
customer as the return address. In which case there is nothing you can do to
prevent the external servers from generating these messages.

> My question is how do we stop this mass e-mail attack? And how do we
> prevent a reoccurance?

It may feel like an email attack, but that was probably not the intention of
the spammer. (Although 47000+ is an awful lot of NDRs to be sent to one
server - which just goes to show how stupid and annoying spammers are.)

I assume that there is a real email account for the recipient of the NDRs?
(I suppose there must be or you wouldn't be aware of them.) All I can
suggest is that you set up a rule in outlook to delete the NDRs as they come
in (or direct them to a folder). Not ideal, but that's what I do.
Unfortunately different email systems generate different format NDRs so you
may end up a rule that has to cover many different types of NDR. If you come
up with a better solution then please post back.
--
Brian Cryer
www.cryer.co.uk/brian

Jason
Wed Mar 26 06:02:01 PDT 2008

Brian this is showing the characteristics of open relay abuse / NDR attack. I
say this becuase it happened to me not so long ago. The NDA's are a common
sign of this.

From memory here is how it works:

Spammer sends 10,000 emails to a bad addresses at your company, i.e.
abcd@yourcompany.com.

Spammer configures the spam email to fool your exchange server into thinking
the sender is joeblogs@yahoo.com (joeblogs@yahoo.com is actually the intended
target of the spam). Your exchange server says "abcd is not a valid address"
so sends the NDR to the sender which of course is actually the target address
joeblogs@yahoo.com. The NDR comes from you but ironically carries the
original spam message so the spammer gets his spam to joeblogs@yahoo.com by
tricking your exchange server. This I suspect is why you are seeing all
these NDR's.

In addition to what I said above, I forgot to mention that you should also
rule out your clients. Again you should look in your exchange Q to see the
emails being generated. You can try to kill them but it will be like
emptying water from a sinking ship. YOu should actually be able to see the
emails building in the Q.

Switch off each client indifidually and see if any of them are generating
the emails. Switch one off, check the Q, and do the same with all others.
Again this is somehting that happened to me and one of the clients was
running some kind of trojan that was acting as a mail server.



"Brian Cryer" wrote:

> "John Blackwell" <JohnBlackwell@discussions.microsoft.com> wrote in message
> news:F4A409F7-6289-4B8B-AABF-55A3CD279CD8@microsoft.com...
> > We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our
> > e-mail
> > clients in being swamped with thousands (47,000++ in the last 24 hours) of
> > messages purporting to come from the System Administrator.
> >
> > The messages read;
> > "Your message did not reach some or all of the intended recipients.
> > Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250? !
> > Sent: 25/03/2008 10:21
> > The following recipient(s) could not be reached:
> >
> > tielgari@tim.it on 26/03/2008 10:32
> > There was a SMTP communication problem with the recipient's email server.
> > Please contact your system administrator.
> > <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient:
> > <tielgari@tim.it>> "
>
> I assume that your client hasn't sent out the emails that couldn't be
> delivered? On that assumption then these emails are delivery failures for
> spams that some low life has sent out, providing the email address of your
> customer as the return address. In which case there is nothing you can do to
> prevent the external servers from generating these messages.
>
> > My question is how do we stop this mass e-mail attack? And how do we
> > prevent a reoccurance?
>
> It may feel like an email attack, but that was probably not the intention of
> the spammer. (Although 47000+ is an awful lot of NDRs to be sent to one
> server - which just goes to show how stupid and annoying spammers are.)
>
> I assume that there is a real email account for the recipient of the NDRs?
> (I suppose there must be or you wouldn't be aware of them.) All I can
> suggest is that you set up a rule in outlook to delete the NDRs as they come
> in (or direct them to a folder). Not ideal, but that's what I do.
> Unfortunately different email systems generate different format NDRs so you
> may end up a rule that has to cover many different types of NDR. If you come
> up with a better solution then please post back.
> --
> Brian Cryer
> www.cryer.co.uk/brian
>
>
>
>

Jason
Wed Mar 26 06:04:01 PDT 2008

Sorry Brian I mis-read your reply however you CAN stop the NDR's. You need to
configure your exchange server so that the NDR is handled by the sender and
not your server.

"Brian Cryer" wrote:

> "John Blackwell" <JohnBlackwell@discussions.microsoft.com> wrote in message
> news:F4A409F7-6289-4B8B-AABF-55A3CD279CD8@microsoft.com...
> > We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our
> > e-mail
> > clients in being swamped with thousands (47,000++ in the last 24 hours) of
> > messages purporting to come from the System Administrator.
> >
> > The messages read;
> > "Your message did not reach some or all of the intended recipients.
> > Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250? !
> > Sent: 25/03/2008 10:21
> > The following recipient(s) could not be reached:
> >
> > tielgari@tim.it on 26/03/2008 10:32
> > There was a SMTP communication problem with the recipient's email server.
> > Please contact your system administrator.
> > <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient:
> > <tielgari@tim.it>> "
>
> I assume that your client hasn't sent out the emails that couldn't be
> delivered? On that assumption then these emails are delivery failures for
> spams that some low life has sent out, providing the email address of your
> customer as the return address. In which case there is nothing you can do to
> prevent the external servers from generating these messages.
>
> > My question is how do we stop this mass e-mail attack? And how do we
> > prevent a reoccurance?
>
> It may feel like an email attack, but that was probably not the intention of
> the spammer. (Although 47000+ is an awful lot of NDRs to be sent to one
> server - which just goes to show how stupid and annoying spammers are.)
>
> I assume that there is a real email account for the recipient of the NDRs?
> (I suppose there must be or you wouldn't be aware of them.) All I can
> suggest is that you set up a rule in outlook to delete the NDRs as they come
> in (or direct them to a folder). Not ideal, but that's what I do.
> Unfortunately different email systems generate different format NDRs so you
> may end up a rule that has to cover many different types of NDR. If you come
> up with a better solution then please post back.
> --
> Brian Cryer
> www.cryer.co.uk/brian
>
>
>
>

Jim
Wed Mar 26 06:27:09 PDT 2008

It could also be a spoof where someone is spam pretending to be you.
When they spam message is rejected you recieve a ndr. About once a
month I get a few calls from two accounts as their email address get
passed around as spoof addresses. There is nothing wrong with their
servers. I do these clicks in the following post to keep my servers
relatively free from spam.
http://msmvps.com/blogs/bgb/archive/2008/02/23/exchange-connection-filter-using-a-real-time-block-list-and-imfperfmon-msc.aspx

On Wed, 26 Mar 2008 05:08:01 -0700, Jason
<Jason@discussions.microsoft.com> wrote:

>Sounds like someone is exploiting your exchange server relay.
>
>First check your email Queues and I bet there are loads of emails there.
>First thing I'd do while you invistigate is disable outbound mail from the Q
>tab and get to work on fixing the problem:
>
>The following link should help. Good luck.
>
>"How to block open SMTP relaying and clean up Exchange Server SMTP queues in
>Windows Small Business Server"
>
>http://support.microsoft.com/kb/324958
>
>"John Blackwell" wrote:
>
>> We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our e-mail
>> clients in being swamped with thousands (47,000++ in the last 24 hours) of
>> messages purporting to come from the System Administrator.
>>
>> The messages read;
>> "Your message did not reach some or all of the intended recipients.
>> Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250? !
>> Sent: 25/03/2008 10:21
>> The following recipient(s) could not be reached:
>>
>> tielgari@tim.it on 26/03/2008 10:32
>> There was a SMTP communication problem with the recipient's email server.
>> Please contact your system administrator.
>> <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient: <tielgari@tim.it>> "
>>
>> My question is how do we stop this mass e-mail attack? And how do we
>> prevent a reoccurance?
See what SBS support is working on
http://blogs.technet.com/sbs/default.aspx
Check your SBS with the SBS Best Practices Analyzer
http://blogs.technet.com/sbs/archive/tags/BPA/default.aspx

Brian
Wed Mar 26 07:33:09 PDT 2008

"Jason" <Jason@discussions.microsoft.com> wrote in message
news:41FC58BD-076E-4DFD-98F4-2D99C1467B98@microsoft.com...
> Brian this is showing the characteristics of open relay abuse / NDR
> attack. I
> say this becuase it happened to me not so long ago. The NDA's are a
> common
> sign of this.
>
> From memory here is how it works:
>
> Spammer sends 10,000 emails to a bad addresses at your company, i.e.
> abcd@yourcompany.com.
>
> Spammer configures the spam email to fool your exchange server into
> thinking
> the sender is joeblogs@yahoo.com (joeblogs@yahoo.com is actually the
> intended
> target of the spam). Your exchange server says "abcd is not a valid
> address"
> so sends the NDR to the sender which of course is actually the target
> address
> joeblogs@yahoo.com. The NDR comes from you but ironically carries the
> original spam message so the spammer gets his spam to joeblogs@yahoo.com
> by
> tricking your exchange server. This I suspect is why you are seeing all
> these NDR's.

Yes, I'm familiar with this. I think its generally known as a reverse-NDR
attack.

One of the normal symptoms of this are exchange delivery queues filled with
stuff to delivery. This in turn slows everything down because it clogs the
internet connection.

However, if the OP's server is being used to to deliver NDR spam then I
wouldn't expect him to see any non-delivery messages. If an NDR is NDR'd
(don't know if that happens but assuming it does) then ... ah, yes, I
suppose it would be delivered to "postmaster" which would then get a zillion
NDRs. Could be.

> In addition to what I said above, I forgot to mention that you should also
> rule out your clients. Again you should look in your exchange Q to see the
> emails being generated. You can try to kill them but it will be like
> emptying water from a sinking ship. YOu should actually be able to see
> the
> emails building in the Q.
>
> Switch off each client indifidually and see if any of them are generating
> the emails. Switch one off, check the Q, and do the same with all others.
> Again this is somehting that happened to me and one of the clients was
> running some kind of trojan that was acting as a mail server.

John, I think Jason is on to something with ruling out RNDR, open relay and
the possibility that one of the pcs on your network are compromised.
--
Brian Cryer
www.cryer.co.uk/brian

Brian
Wed Mar 26 07:37:03 PDT 2008

"Jason" <Jason@discussions.microsoft.com> wrote in message
news:15346AF5-F0E8-44A2-957C-7E84C8D1072B@microsoft.com...
> Sorry Brian I mis-read your reply however you CAN stop the NDR's. You need
> to
> configure your exchange server so that the NDR is handled by the sender
> and
> not your server.

No worries. Your points are good and sound.

If the OP is subject to a reverse-NDR attack (as you've suggested) then the
following resources should help:

http://support.microsoft.com/kb/886208/en-us
http://www.cryer.co.uk/brian/msexchange/exch_disable_ndrs.htm
--
Brian Cryer
www.cryer.co.uk/brian

catphishum
Wed Mar 26 08:45:05 PDT 2008

I'm having the same issue on my account, SBS R2, Premium, Exchange
SP2.

All the subject lines of the NDRs are clearly spam, but I haven't sent
any, and there are none in the outbox, message tracking center, etc.
I'm checking for viruses and spyware now, but results are coming up
clean. I think it is a spoof as mentioned below, but am checking the
articles listed to make sure the bases are covered.

My queues are clean as a whistle. The server is acting okay, but I
did get this message after enabling logging on the SMTP protocol...

Never heard of this person "candy". I'm sure she is very sweet. I
looked up the evt on eventid.net, but it didn't give me a whole lot.

Additionally, I temporarily followed - http://www.vladville.com/articles/dis=
ablendr.asp
to disable the NDRs i was getting. This has stopped them, but that
doesn't mean they aren't still trying to use my addy...

__________________________________________________________
Event Type: Error
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 7010
Date: 3/26/2008
Time: 10:16:41 AM
User: N/A
Computer: CUSECSBS
Description:
This is an SMTP protocol log for virtual server ID 1, connection #1.
The client at "118.169.199.49" sent a "rcpt" command, and the SMTP
server responded with "550 5.7.1 Unable to relay for
candy59839@yahoo.com.tw ". The full command sent was "rcpt
to:<candy59839@yahoo.com.tw>". This will probably cause the
connection to fail.
_________________________________________________________



On Mar 26, 5:37 am, John Blackwell
<JohnBlackw...@discussions.microsoft.com> wrote:
> We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our e-m=
ail
> clients in being swamped with thousands (47,000++ in the last 24 hours) of=

> messages purporting to come from the System Administrator.
>
> The messages read;
> "Your message did not reach some or all of the intended recipients.
> Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250=D0=82 !=

> Sent: 25/03/2008 10:21
> The following recipient(s) could not be reached:
>
> tielg...@tim.it on 26/03/2008 10:32
> There was a SMTP communication problem with the recipient's email server=
.
> Please contact your system administrator.
> <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient: <tielg...@tim.it=
>> "
>
> My question is how do we stop this mass e-mail attack? And how do we
> prevent a reoccurance?

catphishum
Wed Mar 26 08:59:02 PDT 2008

In Addition - one of the NDRs generated an outofoffice reply. here
are the internet headers from that message -
I changed my domain on this so spammers will maybe not get me even
more
______________


Microsoft Mail Internet Headers Version 2.0
Received: from k125.smtproutes.com ([208.70.91.125]) by
myrealdomain.org with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 26 Mar 2008 10:01:51 -0500
X-Katharion-ID: 1206543710.1404.k125 (1.5)
Received: from mail04.unet.nl ([84.53.82.13])
by k125.smtproutes.com ([192.168.1.125])
with ESMTP via TCP; 26 Mar 2008 15:01:43 -0000
Received: from domportia.office.unet.nl (alm-sara-fw01.unet.nl
[82.148.221.98])
by mail04.unet.nl (Postfix) with ESMTP id 51D2658312F
for <bblake@myrealdomain.org>; Wed, 26 Mar 2008 16:01:42 +0100 (CET)
Subject: Lucas Kuiphof is out of the office.
From: Lucas Kuiphof <lkuiphof@ihatespam_unet.nl>
To: "amory truc" <bblake@myrealdomain.org>
Message-ID: <OF8C9D042A.C30CF19B-ONC1257418.00528D12-
C1257418.00528D12@office.unet.nl>
Date: Wed, 26 Mar 2008 16:01:40 +0100
X-MIMETrack: Serialize by Router on portia/UNET(Release 7.0.1|January
17, 2006) at 26-03-2008
16:01:41
MIME-Version: 1.0
Content-type: text/html; charset=3DUS-ASCII
Content-Disposition: inline
Return-Path: lkuiphof@unet.nl
X-OriginalArrivalTime: 26 Mar 2008 15:01:51.0458 (UTC)
FILETIME=3D[5284BC20:01C88F52]



On Mar 26, 10:45 am, catphishum <catphis...@gmail.com> wrote:
> I'm having the same issue on my account, SBS R2, Premium, Exchange
> SP2.
>
> All the subject lines of the NDRs are clearly spam, but I haven't sent
> any, and there are none in the outbox, message tracking center, etc.
> I'm checking for viruses and spyware now, but results are coming up
> clean. I think it is a spoof as mentioned below, but am checking the
> articles listed to make sure the bases are covered.
>
> My queues are clean as a whistle. The server is acting okay, but I
> did get this message after enabling logging on the SMTP protocol...
>
> Never heard of this person "candy". I'm sure she is very sweet. I
> looked up the evt on eventid.net, but it didn't give me a whole lot.
>
> Additionally, I temporarily followed -http://www.vladville.com/articles/di=
sablendr.asp
> to disable the NDRs i was getting. This has stopped them, but that
> doesn't mean they aren't still trying to use my addy...
>
> __________________________________________________________
> Event Type: Error
> Event Source: MSExchangeTransport
> Event Category: SMTP Protocol
> Event ID: 7010
> Date: 3/26/2008
> Time: 10:16:41 AM
> User: N/A
> Computer: CUSECSBS
> Description:
> This is an SMTP protocol log for virtual server ID 1, connection #1.
> The client at "118.169.199.49" sent a "rcpt" command, and the SMTP
> server responded with "550 5.7.1 Unable to relay for
> candy59...@yahoo.com.tw ". The full command sent was "rcpt
> to:<candy59...@yahoo.com.tw>". This will probably cause the
> connection to fail.
> _________________________________________________________
>
> On Mar 26, 5:37 am, John Blackwell
>
> <JohnBlackw...@discussions.microsoft.com> wrote:
> > We run SBS 2003 R2 with 5 clients and in the last 24 hours, one of our e=
-mail
> > clients in being swamped with thousands (47,000++ in the last 24 hours) =
of
> > messages purporting to come from the System Administrator.
>
> > The messages read;
> > "Your message did not reach some or all of the intended recipients.
> > Subject: Mondo BancoPosta ti premia con un bonus di fedelta di 250=D0=82=
!
> > Sent: 25/03/2008 10:21
> > The following recipient(s) could not be reached:
>
> > tielg...@tim.it on 26/03/2008 10:32
> > There was a SMTP communication problem with the recipient's email serv=
er.
> > Please contact your system administrator.
> > <jbassociates.uk.com #5.5.0 smtp;550 Invalid recipient: <tielg...@tim.=
it>> "
>
> > My question is how do we stop this mass e-mail attack? And how do we
> > prevent a reoccurance?

Brian
Wed Mar 26 09:18:59 PDT 2008

"catphishum" <catphishum@gmail.com> wrote in message
news:00acebe1-9413-4a32-8c78-fd12fbed5df2@m44g2000hsc.googlegroups.com...
<snip>
> Additionally, I temporarily followed -
> http://www.vladville.com/articles/disablendr.asp
> to disable the NDRs i was getting. This has stopped them, but that
> doesn't mean they aren't still trying to use my addy...

Personally I wouldn't disable NDRs. They are quite useful (normally anyway).
What I would do is to block emails from entering your exchange server for
which exchange would otherwise decide to generate an NDR. This pushes the
responsibility for generating the NDR back to the sending server and keeps
the spam out of your organisation.

For details see
http://www.cryer.co.uk/brian/msexchange/exch_disable_ndrs.htm or
http://support.microsoft.com/kb/886208/en-us.

However, if your queues are clean (so not clogged with NDRs awaiting
delivery) then it doesn't sound like this is the cause of your problems -
although strictly clogged delivery queues is a symptom, so a spammer could
be taking advanage of your server without the obvious symptom being visible.
--
Brian Cryer
www.cryer.co.uk/brian

catphishum
Wed Mar 26 10:15:37 PDT 2008

I did follow the two articles, and most of the steps were already in
place. The queues only have valid mails in them though, so i didn't
go through "clean them".

turned the NDRs back on in ESM and they have stopped showing up in the
inbox. I'm thinking it has to be a spoof. Everything else is acting
quite normally....

On Mar 26, 11:18 am, "Brian Cryer" <bri...@127.0.0.1.activesol.co.uk>
wrote:
> "catphishum" <catphis...@gmail.com> wrote in message
>
> news:00acebe1-9413-4a32-8c78-fd12fbed5df2@m44g2000hsc.googlegroups.com...
> <snip>
>
> > Additionally, I temporarily followed -
> >http://www.vladville.com/articles/disablendr.asp
> > to disable the NDRs i was getting. This has stopped them, but that
> > doesn't mean they aren't still trying to use my addy...
>
> Personally I wouldn't disable NDRs. They are quite useful (normally anyway).
> What I would do is to block emails from entering your exchange server for
> which exchange would otherwise decide to generate an NDR. This pushes the
> responsibility for generating the NDR back to the sending server and keeps
> the spam out of your organisation.
>
> For details seehttp://www.cryer.co.uk/brian/msexchange/exch_disable_ndrs.htmorhttp://support.microsoft.com/kb/886208/en-us.
>
> However, if your queues are clean (so not clogged with NDRs awaiting
> delivery) then it doesn't sound like this is the cause of your problems -
> although strictly clogged delivery queues is a symptom, so a spammer could
> be taking advanage of your server without the obvious symptom being visible.
> --
> Brian Cryerwww.cryer.co.uk/brian

catphishum
Thu Mar 27 08:44:36 PDT 2008

Here is another - I've taken out my address below so they don't bite
me again. This has got to be a spoof right?
-----------------------------------------------------------------------------------------------
his is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

lauri@aondenospam.com

Message will be retried for 2 more day(s)

----- Message header follows -----

Received: by 10.140.188.10 with SMTP id l10mr104638rvf.
6.1206541281096;
Wed, 26 Mar 2008 07:21:21 -0700 (PDT)
Return-Path: <bblake@nospamthisdude.org>
Received: from pd95b32dc.dip0.t-ipconnect.de (pd95b32dc.dip0.t-
ipconnect.de [217.91.50.220])
by mx.google.com with ESMTP id f36si9777252rvb.
4.2008.03.26.07.21.16;
Wed, 26 Mar 2008 07:21:21 -0700 (PDT)
Received-SPF: neutral (google.com: 217.91.50.220 is neither permitted
nor denied by best guess record for domain of
bblake@nospamthisdude.org) client-ip=217.91.50.220;
Authentication-Results: mx.google.com; spf=neutral (google.com:
217.91.50.220 is neither permitted nor denied by best guess record for
domain of bblake@nospamthisdude.org)
smtp.mail=bblake@nospamthisdude.org
Message-ID: <000701c88f4c$01a8b9c5$28614594@gbcvtlfh>
From: "filberte havivah" <bblake@nospamthisdude.org>
To: <lauri@aonde.com>
Subject: Gallery sexy songs Paris Hilton
Date: Wed, 26 Mar 2008 12:33:49 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C88F4C.01A355B7"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198