Exchange System Manger, "Last Logged on By", and Spam.

Posted on 2006-06-06
Last Modified: 2012-06-27
I am trying to see if I have something in my Exchange Server that is sending internal Spam. I keep getting junk messages that appear to be coming from inside my organization. I cannot add the sender to the blocked sender list because supposedly they are internal. Not many just one or two every week or so. While looking around inside the Exchange System Manager, more specifically: Exchange System Manager>Domain>Servers>First Storage Group>Mailbox Store (Server)>Mailboxes I have a table listing my users, who logged them in, mailbox size, etc. Most of the users are listed as being last logged in by themselves (Domain\User1, Domain\User2, etc.) However, one of them is being shown as last logged in by "NT Authority\System." What does that mean? I am asking for two reasons, 1) it is different from all the others and 2) it happens to be one of the addresses affected by the periodic spam. If I am barking up the wrong tree what else should I be looking at?

Thank You,
Question by:esingleton
    LVL 104

    Expert Comment

    That "Last Logged on by" is useless. \system means that the server has used the mailbox. It logs in to every account. Look at the server first thing in the morning before everyone is in and you will see most mailboxes will have that value.

    With spam that is coming "from" internal users, does the message have SMTP headers? If so, it has come from outside. Common spammers trick to use the same domain for both the From and To line.


    Author Comment

    I am new to excahnge and just learning my way around it. I am aware of the Same Domain trick but thought this might be different.

    After poking around this is what I found:

    Internet Header:
    Microsoft Mail Internet Headers Version 2.0
    Received: from mail pickup service by with Microsoft SMTPSVC; Tue, 6 Jun 2006 16:00:37 -0400
    thread-index: AcaJo+BcgbR/k2v1TA+cDubZn07iqw==
    Return-Path: <>
    Delivery-date: Tue, 06 Jun 2006 15:56:42 -0400
    X-Originating-IP: by smtp.;  Tue, 06 Jun 2006 15:56:39 -0500
    Message-ID: <000b01c689a3$e05cf1e0$>
    From: "Gabriela Hoskins" <>
    X-Mailer: Microsoft CDO for Exchange 2000
    Reply-To: "Gabriela Hoskins" <>
    To: <>,
    Subject: Passed over again for that promotion, no Degree?
    Date: Tue, 6 Jun 2006 16:00:36 -0400
    Content-Class: urn:content-classes:message
    Importance: normal
    Priority: normal
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    X-OriginalArrivalTime: 06 Jun 2006 20:00:37.0178 (UTC) FILETIME=[E0DB49A0:01C689A3]

    I do not know who Gabriella Hoskins is and I don't suppose it matters.
    LVL 104

    Expert Comment

    The presence of headers means the message came via SMTP.
    Do any of the IP addresses in the header belong to you?
    Are you using SBS with a POP3 connector, or having email delivered directly by SMTP?


    Author Comment

    I do not recognize any of the IP addresses.

    We are using SBS2003 with a POP3 Connector to retrieve mail.
    LVL 104

    Accepted Solution

    That explains the header content. It is coming in from outside, but the header content is being destroyed by the POP3 pickup.
    Unfortunately as you are using POP3 connector your options are limited as the email has already been accepted. You might find that IMF will quarantine the message, but you probably need to look at investing in an antispam application that can deal with some of this stuff.

    The IP addresses shown in the headers indicate... belongs to Flashcom Inc. belongs to Insight Communications Corp.


    Author Comment


    Thank you for your help. Are there any antispam applications that are designed for SBS2003 and Exchange? Any that you can recommend?
    LVL 104

    Expert Comment

    Nothing specifically designed for SBS, because SBS is basically Exchange.

    Recommending those types of applications is close to impossible, because each site gets different types of spam and also gets different types of email messages. I have one client who deal with financial products (loans, mortgages etc) and lots of home based brokers. So you get emails coming in from AOL and Hotmail accounts with loans and mortgages in the content. We couldn't find an antispam application that could cope and ended up getting an outsourced solution custom built.

    Most of the antispam applications have a trial version. Get hold of them, but them in to report only mode and see what they come up with.
    You could start with IMF, which is built in to Exchange 2003 SP2 (if you aren't on SP2 for Exchange, then get it installed).

    For applications, take a look at
    GFI Mail Essentials
    Sunbelt Software I Hate Spam (now called Ninja or something like that)
    Vamsoft ORF

    There are others, but those are the three I come across most often.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now