Could our mail server be used by an outsider?

We have a dedicated server hosted with an ISP.  We are running MailEnable and have a software program written to send out emails.  We also have our own email coming through this MailEnable server.  However one of our users has been receiving all kinds of emails concerning "Message Delivery Failure" and "Message Delivery Delay" (over 30 yesterday alone!).  The problem is that she didn't send the emails.  When I look at the contents of the message (from Postmaster), it shows the following contents on one:

MailEnable: Message Delivery Failure.

The following recipient(s) could not be reached:

      []: General Failure

Message contents follow:

Received: from Huufuljiq ([]) by with MailEnable ESMTP; Sat, 02 Oct 2004 04:00:14 -0400
From: RBocas <>
Subject: So cool a flash,enjoy it
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-ID: <>
Date: Sat, 02 Oct 2004 04:00:14 -0400

This looks to be a possible virus being sent from (which I've changed the name of), but our user is NOT she's and still receiving these messages???  Is this some kind of goofy virus that uses her name to send out bogus email messages???  If so, why does the FROM show someone else's email address?

Another example:

MailEnable: Message delivery has been delayed.

Message is waiting at for delivery to com.

Reason: Mail Server for could not be contacted at this time. MailEnable will keep trying to deliver this message and will notify you of any progress.

Message headers follow:
Received: from Hgy ([]) by with MailEnable ESMTP; Sat, 02 Oct 2004 05:28:27 -0400
From: renaissancecruise <>
Subject: A  WinXP patch
MIME-Version: 1.0
Content-Type: multipart/alternative;
Message-ID: <>
Date: Sat, 02 Oct 2004 05:28:27 -0400

Again no where in this message is my user's name mentioned and she didn't send out any emails to these other people!!!  
Any help/suggestions are greatly appreciated!!!
Who is Participating?
SembeeConnect With a Mentor Commented:
This is classic worm. It is spoofing everything.
It is taking any domains found on the infected machine, then any email addresses on the machine and using them to create new From: and To: lines. It is also clever enough to adjust the "Received From" line to say the domain name. What gives it away as being spoofed is that it is "received from". A genuine email message will probably say something like "received from".

Therefore I don't think your email server is being used by an outsider, you are just seeing messages bounced by the other party for user unknown reasons. Not a lot you can do about those, other than get the user to delete them.
The original source is probably the same machine - someone with your user's email address on their system has got infected.

OverthereAuthor Commented:
That's sort of what I thought since it was only happening with the ONE email address.  Her email would be saved in quite a few other users address books, therefore a good chance of being used by a worm, etc.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.