Solved

How to trace where's the email send from our system?

Posted on 2007-03-19
11
1,174 Views
Last Modified: 2008-01-09
I've expenience someone/company steal/hack into our email server to send out spam...
I only can trace from the message tracking system it's from do-not-reply@xxxxx.com  however how can I get into more detail on where was the original from(which workstation or from the internet or how it can go via our system)?

I'm using windows 2003 SP2, Exchange 2003 SP2.

0
Comment
Question by:pcchiu
11 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 18754604
You may check E-mail header. It will show from where the mail has originated.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 18754608
just double click on the message
if oyu want further detailed you can enable SMTP logging on the virtual server
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18756955
also make sure the queues are not full of emails like this as you could be under a spam attack
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 9

Author Comment

by:pcchiu
ID: 18757354
I mean there's a lot of email in queue which is not suppose to be from our company...  I didn't mean we received a lot of spams...
Here's what I found from the queues:  *I've hundreds of those in the queue..
Message id:  <SERVER1i67EKRuYDlrj0000005d@server1.xxxxxxx.local>
Sender:  "Carolina Trust Bank"<do-not-reply@carolinatrust.com>  <-  This is not from our company however it's from the sender...
Subject:   Suspended Account
priority:  Normal
...

How can I figure out where's the email submit from(I think it maybe from a workstation) or somehow people get to send those directly from our server...  So I just want to see where's the email original from and where I can trace it...
1.  I tested our email server and it's not open relay...
2.  I've see those in the queue once every two days(100+ with NDR bounce back from the others)...  So I've to figure out how it happens...  
We've many workstations and we've central virus/spyware protection and it didn't found anything...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18760451
You need my spam cleanup article.

http://www.amset.info/exchange/spam-cleanup.asp

That will help you identify how, clean up the server and then resolve the problem.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18769380
Hi Sembee,

I tried all it mention from the link you provide and the server is shown secured...  However the spam still sending out via our server...  Is there any other possibility on how it happen?  Thanks.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775819
Have you changed your administrator account password?
Turned off authenticated relaying?
Did you restart the SMTP Service?

There are very few ways that an Exchange server can be turned in to a relay.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18775904
1.  yes just changed the admin password.
2.  Can't turn it off since we need to send email from the server to outside.
3.  Yes restart the SMTP services many time.

Will keep post on how it goes.   Thanks...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 18776021
Are you sure that you understand what authenticated relaying does?
Turning that option off does not stop Exchange from sending email. It just stops smtp/pop3 users from using your server to send email.

If you need to leave it on then you should secure it so that only restricted users can use it.

Have you flushed the queues? Take note what I say in my article about it taking a few passes.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18776120
Hi Sembee,

1.  Yes there's SMTP/POP3 users sending email via our system...
2.  I follow thru all the steps from your article and right now so far so good(no unknown email send out yet) however most time they send email out around 3am pst...  So I've to wait couple more night and see how it goes.

Thanks.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18797983
Actually changed the administrator password prevent the spam send via our system...  Look like somehow the administrator password was got stolen/hacked...  Thanks.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question