Learn how to a build a cloud-first strategyRegister Now


Exchange System Manger, "Last Logged on By", and Spam.

Posted on 2006-06-06
Medium Priority
Last Modified: 2012-06-27
I am trying to see if I have something in my Exchange Server that is sending internal Spam. I keep getting junk messages that appear to be coming from inside my organization. I cannot add the sender to the blocked sender list because supposedly they are internal. Not many just one or two every week or so. While looking around inside the Exchange System Manager, more specifically: Exchange System Manager>Domain>Servers>First Storage Group>Mailbox Store (Server)>Mailboxes I have a table listing my users, who logged them in, mailbox size, etc. Most of the users are listed as being last logged in by themselves (Domain\User1, Domain\User2, etc.) However, one of them is being shown as last logged in by "NT Authority\System." What does that mean? I am asking for two reasons, 1) it is different from all the others and 2) it happens to be one of the addresses affected by the periodic spam. If I am barking up the wrong tree what else should I be looking at?

Thank You,
Question by:esingleton
  • 4
  • 3
LVL 104

Expert Comment

ID: 16846483
That "Last Logged on by" is useless. \system means that the server has used the mailbox. It logs in to every account. Look at the server first thing in the morning before everyone is in and you will see most mailboxes will have that value.

With spam that is coming "from" internal users, does the message have SMTP headers? If so, it has come from outside. Common spammers trick to use the same domain for both the From and To line.


Author Comment

ID: 16846655
I am new to excahnge and just learning my way around it. I am aware of the Same Domain trick but thought this might be different.

After poking around this is what I found:

Internet Header:
Microsoft Mail Internet Headers Version 2.0
Received: from mail pickup service by mail.domain.com with Microsoft SMTPSVC; Tue, 6 Jun 2006 16:00:37 -0400
thread-index: AcaJo+BcgbR/k2v1TA+cDubZn07iqw==
Return-Path: <faceless@bjdr.belpak.brest.by>
Envelope-to: user1@domain.com
Delivery-date: Tue, 06 Jun 2006 15:56:42 -0400
X-Originating-IP: by smtp.;  Tue, 06 Jun 2006 15:56:39 -0500
Message-ID: <000b01c689a3$e05cf1e0$0700a8c0@domain.net>
From: "Gabriela Hoskins" <user1@domain.com>
X-Mailer: Microsoft CDO for Exchange 2000
Reply-To: "Gabriela Hoskins" <user1@domain.com>
To: <user2@domain.com>,
Subject: Passed over again for that promotion, no Degree?
Date: Tue, 6 Jun 2006 16:00:36 -0400
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
X-OriginalArrivalTime: 06 Jun 2006 20:00:37.0178 (UTC) FILETIME=[E0DB49A0:01C689A3]

I do not know who Gabriella Hoskins is and I don't suppose it matters.
LVL 104

Expert Comment

ID: 16846808
The presence of headers means the message came via SMTP.
Do any of the IP addresses in the header belong to you?
Are you using SBS with a POP3 connector, or having email delivered directly by SMTP?

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.


Author Comment

ID: 16852561
I do not recognize any of the IP addresses.

We are using SBS2003 with a POP3 Connector to retrieve mail.
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 16853498
That explains the header content. It is coming in from outside, but the header content is being destroyed by the POP3 pickup.
Unfortunately as you are using POP3 connector your options are limited as the email has already been accepted. You might find that IMF will quarantine the message, but you probably need to look at investing in an antispam application that can deal with some of this stuff.

The IP addresses shown in the headers indicate... belongs to Flashcom Inc. belongs to Insight Communications Corp.


Author Comment

ID: 16853621

Thank you for your help. Are there any antispam applications that are designed for SBS2003 and Exchange? Any that you can recommend?
LVL 104

Expert Comment

ID: 16853677
Nothing specifically designed for SBS, because SBS is basically Exchange.

Recommending those types of applications is close to impossible, because each site gets different types of spam and also gets different types of email messages. I have one client who deal with financial products (loans, mortgages etc) and lots of home based brokers. So you get emails coming in from AOL and Hotmail accounts with loans and mortgages in the content. We couldn't find an antispam application that could cope and ended up getting an outsourced solution custom built.

Most of the antispam applications have a trial version. Get hold of them, but them in to report only mode and see what they come up with.
You could start with IMF, which is built in to Exchange 2003 SP2 (if you aren't on SP2 for Exchange, then get it installed). http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

For applications, take a look at
GFI Mail Essentials
Sunbelt Software I Hate Spam (now called Ninja or something like that)
Vamsoft ORF

There are others, but those are the three I come across most often.


Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question