I spent some time this morning chasing down an odd problem. I got a call from one of my customers regarding a puzzling email issue. For at least a month, he’s had no luck sending email from Outlook. The send dialog would sit forever trying to deliver a stack of phantom messages (i.e. not from the Outbox) and eventually timeout.
When he called on Friday, we decided to conference in his webhost and see what was going on at the smtp server. The admin for his domain checked the logs and discovered that every five minutes, there were stacks of errors being generated from these phantom emails. All of the emails were going to the inbox for a former employee. Since the inbox on the server no longer exists, the SMTP server was rejecting the message.
I telnetted into the server just to see what it was running and found Exim 4.52. I’m by no means an expert on the inner workings of ESMTP, but I assumed at this point that since the email was destined for a local domain, Exim was smart enough to recognize that the message was undeliverable and rejected it upon receipt of the message header.
Outlook 2002, being not so smart (or too smart if you prefer), valiantly kept attempting delivery. The real email messages my client needed to send remained queued up behind this phantom traffic and never made it out the door.
After a short discussion, we decided to recreate the user account to collect this email traffic and see what happens. As soon as we did, the test message my customer sent me went through. We scheduled an appointment for this morning to figure out where the phantom traffic was coming from so that the problem could be properly fixed. No sense waiting for the inbox to fill up or something equally occurs.
I arrived onsite and gave Outlook a once over to see where the traffic might be coming from. Checking the mailbox we created on Friday, I saw stacks of return receipts that were delivered on Friday. I searched for the return address in Outlook and in the registry to see if there was some setting amiss. I found nothing unusual.
Return receipts to an email account that hasn’t existed in over three months made no sense to me at all. I wondered if the former employee (who left on not such good terms and who has a modicum of skills) might be spoofing messages or left behind some sort of spyware that was grabbing her boss’s email. It seemed farfetched, but nothing else made sense.
When she left the company, I reloaded everything on the PC she used. I did a nuke and pave on Windows and performed a fresh installation of needed applications because the system had become so junked up by personal software and bootleg audio utilities. So I was pretty sure that her old computer wasn’t doing anything unexpected. We had also gone through the ritual of changing every password in the office at the time and I had performed a cursory review of their internal security too. Nevertheless, I doublechecked the other PC in the front office just to be sure it was clean.
Looking back at my customer’s Outlook, I noticed his calendar was pretty full. I asked the receptionist how he entered his appointments because I knew that he didn’t do it himself. The receptionist showed me how she created the appointment in her own calendar and then forwarded it as an iCalendar attachment to the boss. Interestingly, the staff at this office love the return receipt feature in email and have it turned on by default in Outlook. They also have automatic approval of read receipts set in Outlook.
I went back to the afflicted Outlook desktop and reopened the calendar. I then changed the view to show a list of appointments instead of the default calendar format. Interestingly, I discovered a huge list of birthday, anniversary, and payday reminders on the calendar. All of them were set as recurring appointments and some of them weren’t even scheduled to start until 2015. Those that populated dates in this year’s calendar had start dates that predated the employee swap in the front office.
Very interesting indeed. I asked how important the reminders were and the staff told me they were redundant since the boss got verbal and email reminders from the receptionist anyway. They told me to delete the recurring appointments which I gladly did. I’m sure that as each recurring appointment was scheduled automatically by Outlook, it generated the read receipts back to the old email address.
I’m scheduled to go back Thursday, so I’ll know then if the outbound email flood has been stemmed. I’m pretty sure I’ll be celebrating success when I check.
The most fascinating part of this for me was learning that iCalendar exists. And only seven years after its inception! According to wikipedia, Microsoft’s implementation is relatively stable as of Outlook 2002 and the standard has been implemented in a number of popular calendaring apps. There are also a few sites that let you publish your calendar online for free or you can do it yourself along with an RSS feed of upcoming events for news aggregators. Pretty darn spiffy.