Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to trace where's the email send from our system?

Posted on 2007-03-19
11
1,180 Views
Last Modified: 2008-01-09
I've expenience someone/company steal/hack into our email server to send out spam...
I only can trace from the message tracking system it's from do-not-reply@xxxxx.com  however how can I get into more detail on where was the original from(which workstation or from the internet or how it can go via our system)?

I'm using windows 2003 SP2, Exchange 2003 SP2.

0
Comment
Question by:pcchiu
11 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 18754604
You may check E-mail header. It will show from where the mail has originated.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 18754608
just double click on the message
if oyu want further detailed you can enable SMTP logging on the virtual server
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18756955
also make sure the queues are not full of emails like this as you could be under a spam attack
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Author Comment

by:pcchiu
ID: 18757354
I mean there's a lot of email in queue which is not suppose to be from our company...  I didn't mean we received a lot of spams...
Here's what I found from the queues:  *I've hundreds of those in the queue..
Message id:  <SERVER1i67EKRuYDlrj0000005d@server1.xxxxxxx.local>
Sender:  "Carolina Trust Bank"<do-not-reply@carolinatrust.com>  <-  This is not from our company however it's from the sender...
Subject:   Suspended Account
priority:  Normal
...

How can I figure out where's the email submit from(I think it maybe from a workstation) or somehow people get to send those directly from our server...  So I just want to see where's the email original from and where I can trace it...
1.  I tested our email server and it's not open relay...
2.  I've see those in the queue once every two days(100+ with NDR bounce back from the others)...  So I've to figure out how it happens...  
We've many workstations and we've central virus/spyware protection and it didn't found anything...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18760451
You need my spam cleanup article.

http://www.amset.info/exchange/spam-cleanup.asp

That will help you identify how, clean up the server and then resolve the problem.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18769380
Hi Sembee,

I tried all it mention from the link you provide and the server is shown secured...  However the spam still sending out via our server...  Is there any other possibility on how it happen?  Thanks.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775819
Have you changed your administrator account password?
Turned off authenticated relaying?
Did you restart the SMTP Service?

There are very few ways that an Exchange server can be turned in to a relay.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18775904
1.  yes just changed the admin password.
2.  Can't turn it off since we need to send email from the server to outside.
3.  Yes restart the SMTP services many time.

Will keep post on how it goes.   Thanks...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 18776021
Are you sure that you understand what authenticated relaying does?
Turning that option off does not stop Exchange from sending email. It just stops smtp/pop3 users from using your server to send email.

If you need to leave it on then you should secure it so that only restricted users can use it.

Have you flushed the queues? Take note what I say in my article about it taking a few passes.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18776120
Hi Sembee,

1.  Yes there's SMTP/POP3 users sending email via our system...
2.  I follow thru all the steps from your article and right now so far so good(no unknown email send out yet) however most time they send email out around 3am pst...  So I've to wait couple more night and see how it goes.

Thanks.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18797983
Actually changed the administrator password prevent the spam send via our system...  Look like somehow the administrator password was got stolen/hacked...  Thanks.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Find out what you should include to make the best professional email signature for your organization.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question