There was a horror movie some years ago that a baby sitter was being threatened over the phone. When the police traced the call it was coming from upstairs-- Creepy.
Several people in our organization are receiving emails from various internal email addresses some disabled some non-existent. We do not have a Sales email account yet we are receiving some from there. We have an info account but it is disabled. We also are receiving some from an administrator account that has been renamed.
The virus is the classic W32.mytob.ML@mm
The problem is I have run a full scan on the exchange server with 5/28/06 rev 4 defs. The earlier defs have been doing an awesome job picking up that same virus sent from the outside to one of the inside computers, so I am sure it should pick it up on the exchange server. I deleted everyting out of quaruntine as well as checked the threat history and made sure everything was clear. I did not however see any services that may have been running per the web site above.
I ran a trace on the email which was a waste of time because it only told me that the date and time the message was "submitted to advanced queuing."
I also looked at the message header and it is coming from the server.
How can I find out where these messages originate i.e. virus on the exchange server, virus on someone else’s pc in the network, externally, etc?