Echange is forwarding junk messages to administrator group

I have a strange things happening, when ever an email comes in for info or root or even john doe, it gets sent to everyone in the built in administrator group, Please help I would like to get this to stop but don't know how.
Who is Participating?
If you have Exchange 2003 then always start with IMF. That will deal with a lot of content.
For third party tools, GFI Mail Essentials is quite effective. I also use Vamsoft ORF. It has a feature called greylisting which deals with an awful lot of spam. One site I look after drops 92% of all email with Vamsoft because it is spam.

did you check AD to see if any of these email addresses have any forwarding rule set up?
brady1408Author Commented:
I did and they do not, the only distribution group that they are part of is the support distribution so even then they shouldn't be recieving email for root or info.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Stacy SpearPresident/Principal ConsultantCommented:
Why not reject the messages sent from outside to those addresses. Not a final solution but achieves quick results.
Some version information would be nice.

Are you getting the actual messages or just the NDRs with the spam message attached?

brady1408Author Commented:
Good questions thanks the version is Version: 6.5.6944.0 exchange server 2003 lastest service packs to my knowledge, on I'm getting the whole message, infact here is some header info with the domain changed of course.

This is a good example you will notice that it was sent to I don't have a mailbox set up for accounting nor do I have a distribution group set up with that name, so why are all the people in the Administrator group getting this email when it comes in?

Microsoft Mail Internet Headers Version 2.0
Received: from jacek ([]) by with Microsoft SMTPSVC(6.0.3790.1830);
       Mon, 6 Nov 2006 09:42:18 -0700
Return-Path: <>
Received: from (HELO
     by with esmtp (D>34OE+S5,12 W7V?@)
     id W=X0A:-O41L(<-B>
     for; Mon, 6 Nov 2006 16:41:53 -0060
Date:      Mon, 6 Nov 2006 16:41:53 -0060
From:      "Leonor Cullen" <>
X-Mailer: The Bat! (v3.51.10) Educational
X-Priority: 3 (Normal)
Message-ID: <>
Subject: Be leaner and slim_mer by next week
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
X-Spam: Not detected
X-OriginalArrivalTime: 06 Nov 2006 16:42:20.0644 (UTC) FILETIME=[872C0240:01C701C2]

You have forgotten the first rule of spam emails - the entire header can be considered to be false.
The fact that it says that it was sent to accounting doesn't mean that was the only user the spam email was sent to. A very common tactic is to send the email to a long list of people - with the first address in the to: line and the rest in the BCC line.

brady1408Author Commented:
Guess no one ever taught me the first rule then, in that case what can I do to cut down spam? any good recomendations of server side spam filters?
brady1408Author Commented:
Just a quick update I plan to accept Sembee's answer as it has been a ton of help but didn't want this to get closed quite yet, I enabled IMF it seemed to help a couple of users but for myself it didn't do a thing, so I am trying the trial version of Vamsoft and so far am very pleased, although I'm a little worried. I'm using the greylisting feature you mentioned and so far 98% of the mail coming into the server has been rejected, that number seems high but it might not be I'm just going to have to give it some time. Also is there a log of rejected senders how do I check for false possitives on the junk filtering, I know how blacklisting works and am not worried about that at all but the greylisting I just don't understand and that's what worries me a little, I don't see what temporarly rejecting an email will do to catch spam, and if it's temperarly rejecting ham then how does it know that it's okay the next time the server tries to send it?
Have a read of my blog post first.

I have explained a lot of how greylisting works there.

98% is not unusual. I have sites running in the high 90s myself. You need to watch the logs as you may see the odd piece of legitimate email being rejected. I have seen email messages from eBay be rejected in the past, but I refuse to white list that domain because it is targeted by phishers as well.

Don't forget that greylisting also catches email sent to non-existing users. If you are on Exchange 2003 with SP2 and have recipient filtering enabled then you would be dropping those messages anyway. I drop on my home server 10,000 misaddressed emails a day. That can distort the Vamsoft stats slightly.

brady1408Author Commented:
Very good Sembee I read you blog and before I heard back from you I found another good white paper on the subject found here.

I'm very happy with the way things are going I looked through the logs and every email that was rejected looked like spam to me I couldn't find a ham messege in the list of rejects, so I guess I feel much better about false possitives, there is always something to be said for knowing how something works, it really helped put my mind at ease.

Thanks a ton!!!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.