Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to trace where's the email send from our system?

Posted on 2007-03-19
11
Medium Priority
?
1,202 Views
Last Modified: 2008-01-09
I've expenience someone/company steal/hack into our email server to send out spam...
I only can trace from the message tracking system it's from do-not-reply@xxxxx.com  however how can I get into more detail on where was the original from(which workstation or from the internet or how it can go via our system)?

I'm using windows 2003 SP2, Exchange 2003 SP2.

0
Comment
Question by:pcchiu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 18754604
You may check E-mail header. It will show from where the mail has originated.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 18754608
just double click on the message
if oyu want further detailed you can enable SMTP logging on the virtual server
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18756955
also make sure the queues are not full of emails like this as you could be under a spam attack
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 9

Author Comment

by:pcchiu
ID: 18757354
I mean there's a lot of email in queue which is not suppose to be from our company...  I didn't mean we received a lot of spams...
Here's what I found from the queues:  *I've hundreds of those in the queue..
Message id:  <SERVER1i67EKRuYDlrj0000005d@server1.xxxxxxx.local>
Sender:  "Carolina Trust Bank"<do-not-reply@carolinatrust.com>  <-  This is not from our company however it's from the sender...
Subject:   Suspended Account
priority:  Normal
...

How can I figure out where's the email submit from(I think it maybe from a workstation) or somehow people get to send those directly from our server...  So I just want to see where's the email original from and where I can trace it...
1.  I tested our email server and it's not open relay...
2.  I've see those in the queue once every two days(100+ with NDR bounce back from the others)...  So I've to figure out how it happens...  
We've many workstations and we've central virus/spyware protection and it didn't found anything...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18760451
You need my spam cleanup article.

http://www.amset.info/exchange/spam-cleanup.asp

That will help you identify how, clean up the server and then resolve the problem.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18769380
Hi Sembee,

I tried all it mention from the link you provide and the server is shown secured...  However the spam still sending out via our server...  Is there any other possibility on how it happen?  Thanks.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775819
Have you changed your administrator account password?
Turned off authenticated relaying?
Did you restart the SMTP Service?

There are very few ways that an Exchange server can be turned in to a relay.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18775904
1.  yes just changed the admin password.
2.  Can't turn it off since we need to send email from the server to outside.
3.  Yes restart the SMTP services many time.

Will keep post on how it goes.   Thanks...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 375 total points
ID: 18776021
Are you sure that you understand what authenticated relaying does?
Turning that option off does not stop Exchange from sending email. It just stops smtp/pop3 users from using your server to send email.

If you need to leave it on then you should secure it so that only restricted users can use it.

Have you flushed the queues? Take note what I say in my article about it taking a few passes.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18776120
Hi Sembee,

1.  Yes there's SMTP/POP3 users sending email via our system...
2.  I follow thru all the steps from your article and right now so far so good(no unknown email send out yet) however most time they send email out around 3am pst...  So I've to wait couple more night and see how it goes.

Thanks.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18797983
Actually changed the administrator password prevent the spam send via our system...  Look like somehow the administrator password was got stolen/hacked...  Thanks.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question