Hi i need some urgent help rgd false email send out

HI need help urgently

I have noticed (this is the second time ) that my server is sending legitimate but unintended mails (not originated by the person) to external as well as internal mailboxes.


An email send by our internal staff ‘ Serina’  to everyone in the office , the same email everyone receive again after few minutes but this time it shows Serina Tan (Send By John Smith)
And john smith is also our staff .

There is no information of 2nd email from serina ‘sent items’ as well as John smith ‘sent items’.

There is a panic in office bcoz all are afraid that some imp and confidential information email might be secretly send out from any mailbox with any ‘Send By’ name attached  , which is very bad.

ur early response will help me alot .


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blackberrymsplAuthor Commented:
My domino and client ver is 6.5.4
Sjef BosmanGroupware ConsultantCommented:
Set up Message Tracking asap! Can you see, in the document properties of the mails received, what the origin of the message is?
blackberrymsplAuthor Commented:

i checked both Emails (actual by serina and 'Sent By' ) document properties

actual mail:FROM :- says "serina"

'Sent by ' : FROM :- says "john"

message tracking not ON at the moment , thinking  to on now
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

blackberrymsplAuthor Commented:
Sjef BosmanGroupware ConsultantCommented:
I'm sorry, I think this is a difficult case where one needs to have direct access to database/server/client. Long-distance debugging is too hard for me, I possibly cannot tell you where to begin... It could be any number of sources, even external programs on Serina's system that send a mail through Notes. I'd start with a thorough inspection of her system, ALL databases, ALL extension utilities and ALL programs installed. From the mail as well as from the Mail log in log.nsf you can tell the date/time the mail was sent away. Ask her what she can tell what she did at that time.

Best of luck...
HEy it might be a agent that might be running this and sending email. If john is sending the email, he has put the prinicipal field to have serina, Check who john is and what applications he owns.

I agree that it sounds like an agent running, but it could be the agent was signed by John and it's sitting on Serina's mail file, one way to get the sent by name to be different from the user's name.

Does John have a replica of Serina's mail file on his desktop?  Perhaps they monitor each other's mail when the other is out of the office?

So, check for two things:  A copy of Serina's mail file on John's desktop/workspace, and a private agent signed by John in Serina's mail file.

Next question, how is Serina sending her group mails?  is this direct from her mail file, or do you have a group mail database where these are initiated?
Also, if you can do a file>>database properties on Serina's file, click on the "I" tab and see if there is any user details and see if anyone other than serina is accessing the mail file.  Also, if you go to log.nsf on the server, the DATABASE >>Usage section you can look up serina's mail database and see a list of events and accesses, including back to back reads or writes.

Failing that, find the email id of the first sent message, trace it in log.nsf under mail routing events, and then see where the second one originated from.
blackberrymsplAuthor Commented:
thanks for ur reply.

there is no such thing 'agent' running on either of the databases .

i have checked access to serina file and could not find any thing fishy.

we have a group name (everyone ) which staff use to send mass emails.
BTW, if it's a private agent, you wouldn't see it unless you had constructed a private agent in the database.  

Please confirm these things, else we're all playing a guessing game here:

the Database Properties>>Usage section confirms that no other person has opened serina's mail file.
The log.nsf >>Database>> by usage, serinasmailfile.nsf confirms that one other person "wrote" documents in serina's mail file.
Neither databases have mail rules turned on that forwards or sends mail of a type to another place.

When you check the email properties for each of the emails, do they have the same or different document ID's?

Log.nsf>>confirms that serina sends a groups message to "group"  with a specific document id.  

Does the log.nsf confirm that the other user receives the message with the same message ID?
Does the log.nsf confirm that the other mail is sent separately from the other user?

Does this happen all the time when Serina sends an email to the group?  If so, then  your mail log events will show a long list of sent email from "serina" , and then another long list of sent emails from John.

You've really got to trace the email message ID's in the logs to see what is happening.

blackberrymsplAuthor Commented:
marilyng thanks for ur reply
my ans are in same order as questioned above.

I m the only admin here and serina doesn't know anything in notes except how to create mail so i can assure u that no such thing called 'agents' running and i have it in desginer as well as her pc.

Log.nsf under 'usage' serina mail file not used by anyone on 7 april when this incident occured.

acutal email has valid msg id , i can see under document property and the same msg id i can trace in log.nsf ,  send to around 100 over people , 1 by 1 name listed.
other email (false one) also showing exactly same msg id in log.nsf send 30 mins later to same 100 hundred over people but  this one i cannot find valid msg id under document property of that msg .
it confirms that there was no another email created, same msg send by someone else to everyone .

no thats 1st time happened with serina and 1st time occured iwth group email , previously only 1 user reproted this problem when found different name under her name meaning "send by'

My strong gut feel (conclusion)
Serina send mail to everyone with attachment , but the same mail when send by john no attachment was there and it says in bottom" attachment is deleted by john smith"

There might be lotus notes bug as i mentioned another link above from lotus.com/ldd

when someone send mail to 'everyone' with attachment and if somebody click on attachment and choose "save and del" and later try to come out of that mail , it prompt " save, send only , discard , canel"
if user accidently select "send only" it get through :(

this i heard from my friends also , not sure

what about virus ?can we suspect , i thot lotus notes address book no such virus issues like Ms outlook?
Bozzie4IT ArchitectCommented:
It's John that probably has an agent running, in his own mailfile.

This sounds like a "Before mail arrives" agent, because it will re-send the original mail.
Can you check that ?  Also verify if it's a user mailrule.  Ask John if he has had mailrules (maybe for testing?) and removed them without Disabling them.


I tend to agree that you've solved it yourself when John deleted the attachment, probably to save space, and then blew by the dialog that ended up sending it out again.  If John deleted the attachment in the second email, and there is no valid message ID in his sent email, then, you may have found a bug.

I've never seen this "bug" before, and the only way I have seen the "sent by" created by another user is by the second user emailing something from the first user's database. Or as Tom suggests, mail rules or an agent.

But, if you detach and save an attachment, and then press escape, you do get the "do you want to send and save, send only.. and a whole bunch of options, with the most unlikely one being "cancel"..."

I agree with you that the user didn't read far enough to the right, and selected one of the save and sends.

This is a far more plausible explanation.  Because users blow through dialog boxes all the time. :)

blackberrymsplAuthor Commented:
tom , thanks u got in picture finally
marilying thanks  once again

i have thoroughly checked there are no rules and agent defined on either of the databases.

i m sure John would not have opted "save and send" bcoz in that case i should be able to see mail in his sent items.

he might have choosen "send only" which is next to "save only"

i have informed lotus support about this weird problem

i 'd like to know from them whether its time arrived to upgrade to  6.5.5 in order to prevent such issues in future ? or 6.5.5 also not cover this issue.

blackberrymsplAuthor Commented:
Tom & Marilyng

something interesting and update for ur KB
see this ,after googling around i found this, something very close.

not necessary John clicked on "Send Only" even he clicked "save only" it will trigger mail to everyone (as per the above technote)

Sjef BosmanGroupware ConsultantCommented:
Do you indeed have these mail quota enabled on your mail? Then there should have been the message on the screen: "Unable to write to your mail file because it has exceeded the size threshold. You should delete messages, empty the trash and compact your mail file."

Maybe there are also other triggers for this problem, e.g. someone using someone else's database with a quotum set?
Agreed, that particular instance really says that the mail file should be at quota.  No, I really think this is a user error, much as "John" would like to blame notes, he deleted the attachment to save space, (Since you have that technical note: attachment deleted by "John") and then hit escape, when the message box came up asking for options, the one to "discard" is all the way over to the right, he didn't take time to click on that, but clicked on any of the others, which would have resent the message.

The fact that you have a "detachment deleted by John" note in the email means he opened it and did those actions.  Case solved.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blackberrymsplAuthor Commented:
just making my point more clear.

In order to save mailbox space users does this thing(save & del) quite frequent which is correct , and by right after doing "save and delete" when  u click "save only" it should not trigger our mail again which is notes bug as clearly mentioned in above technote.

AS per the above technote i found , this issue is resolved in 6.5.5 mail template.

Serina might be almost reaching her mailbox quota while sending out the attachment on that day , and John may be did correctly to choose "save and del" and after that he click "save only" and that trigger out mail again to everyone.

there is another possibility that he might have choosen" send only" .

u r rite , case is closed , i shd close this question

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.