Solved

How to trace where's the email send from our system?

Posted on 2007-03-19
11
1,157 Views
Last Modified: 2008-01-09
I've expenience someone/company steal/hack into our email server to send out spam...
I only can trace from the message tracking system it's from do-not-reply@xxxxx.com  however how can I get into more detail on where was the original from(which workstation or from the internet or how it can go via our system)?

I'm using windows 2003 SP2, Exchange 2003 SP2.

0
Comment
Question by:pcchiu
11 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 18754604
You may check E-mail header. It will show from where the mail has originated.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 18754608
just double click on the message
if oyu want further detailed you can enable SMTP logging on the virtual server
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18756955
also make sure the queues are not full of emails like this as you could be under a spam attack
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18757354
I mean there's a lot of email in queue which is not suppose to be from our company...  I didn't mean we received a lot of spams...
Here's what I found from the queues:  *I've hundreds of those in the queue..
Message id:  <SERVER1i67EKRuYDlrj0000005d@server1.xxxxxxx.local>
Sender:  "Carolina Trust Bank"<do-not-reply@carolinatrust.com>  <-  This is not from our company however it's from the sender...
Subject:   Suspended Account
priority:  Normal
...

How can I figure out where's the email submit from(I think it maybe from a workstation) or somehow people get to send those directly from our server...  So I just want to see where's the email original from and where I can trace it...
1.  I tested our email server and it's not open relay...
2.  I've see those in the queue once every two days(100+ with NDR bounce back from the others)...  So I've to figure out how it happens...  
We've many workstations and we've central virus/spyware protection and it didn't found anything...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18760451
You need my spam cleanup article.

http://www.amset.info/exchange/spam-cleanup.asp

That will help you identify how, clean up the server and then resolve the problem.

Simon.
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 9

Author Comment

by:pcchiu
ID: 18769380
Hi Sembee,

I tried all it mention from the link you provide and the server is shown secured...  However the spam still sending out via our server...  Is there any other possibility on how it happen?  Thanks.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18775819
Have you changed your administrator account password?
Turned off authenticated relaying?
Did you restart the SMTP Service?

There are very few ways that an Exchange server can be turned in to a relay.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18775904
1.  yes just changed the admin password.
2.  Can't turn it off since we need to send email from the server to outside.
3.  Yes restart the SMTP services many time.

Will keep post on how it goes.   Thanks...
0
 
LVL 104

Accepted Solution

by:
Sembee earned 125 total points
ID: 18776021
Are you sure that you understand what authenticated relaying does?
Turning that option off does not stop Exchange from sending email. It just stops smtp/pop3 users from using your server to send email.

If you need to leave it on then you should secure it so that only restricted users can use it.

Have you flushed the queues? Take note what I say in my article about it taking a few passes.

Simon.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18776120
Hi Sembee,

1.  Yes there's SMTP/POP3 users sending email via our system...
2.  I follow thru all the steps from your article and right now so far so good(no unknown email send out yet) however most time they send email out around 3am pst...  So I've to wait couple more night and see how it goes.

Thanks.
0
 
LVL 9

Author Comment

by:pcchiu
ID: 18797983
Actually changed the administrator password prevent the spam send via our system...  Look like somehow the administrator password was got stolen/hacked...  Thanks.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now