Announcement

Collapse
No announcement yet.

My exchange server sending out spoofed emails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • My exchange server sending out spoofed emails

    Good morning,

    My exchange server is sending out spoofed emails. I did not know this until I received an email from one of the blacklisting sites with the email attached to it.

    I've tracked this email in the exchange console message tracking center, but I was unable to figure out which computer/account the spoofed messages are originating from.

    I assume that the emails are spawning from malware and simply reimaging that particular machine will fix my problem?

    The exchange server is set up to not allow any relaying.

    Thanks for any and all help.

    Best regards,
    Mike

  • #2
    Re: My exchange server sending out spoofed emails

    Does the Message Tracking Center not show the sender?

    Comment


    • #3
      Re: My exchange server sending out spoofed emails

      It shows the sender, however, its spoofed. The sender shown is a completely different user/domain =(

      Comment


      • #4
        Re: My exchange server sending out spoofed emails

        But does it show the sending IP address? It should show the client PC that connected to the Exchange server to send the message.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: My exchange server sending out spoofed emails

          Nothing on Exchange is going to show you the originating machine. Exchange simply doesn't record that information. Message tracking doesn't, nor do the headers.

          It is highly unusual for a spoof to go through Exchange, most of them are simply bounced off SMTP using authenticated relaying.

          First course of action I would do is ask all users to admit to responding to a phishing message, which is how it must be happening. Then force everyone to change their passwords.

          You could look through the web logs to see if OWA is being abused.
          EXINSIGHT from Bitrunes could show you real time traffic, but will not show you the actual messages being sent.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment

          Working...
          X