How to trace where's the email send from our system?

I've expenience someone/company steal/hack into our email server to send out spam...
I only can trace from the message tracking system it's from do-not-reply@xxxxx.com  however how can I get into more detail on where was the original from(which workstation or from the internet or how it can go via our system)?

I'm using windows 2003 SP2, Exchange 2003 SP2.

LVL 9
pcchiuAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

inbarasanCommented:
You may check E-mail header. It will show from where the mail has originated.
0
BusbarSolutions ArchitectCommented:
just double click on the message
if oyu want further detailed you can enable SMTP logging on the virtual server
0
poweruser32Commented:
also make sure the queues are not full of emails like this as you could be under a spam attack
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

pcchiuAuthor Commented:
I mean there's a lot of email in queue which is not suppose to be from our company...  I didn't mean we received a lot of spams...
Here's what I found from the queues:  *I've hundreds of those in the queue..
Message id:  <SERVER1i67EKRuYDlrj0000005d@server1.xxxxxxx.local>
Sender:  "Carolina Trust Bank"<do-not-reply@carolinatrust.com>  <-  This is not from our company however it's from the sender...
Subject:   Suspended Account
priority:  Normal
...

How can I figure out where's the email submit from(I think it maybe from a workstation) or somehow people get to send those directly from our server...  So I just want to see where's the email original from and where I can trace it...
1.  I tested our email server and it's not open relay...
2.  I've see those in the queue once every two days(100+ with NDR bounce back from the others)...  So I've to figure out how it happens...  
We've many workstations and we've central virus/spyware protection and it didn't found anything...
0
SembeeCommented:
You need my spam cleanup article.

http://www.amset.info/exchange/spam-cleanup.asp

That will help you identify how, clean up the server and then resolve the problem.

Simon.
0
pcchiuAuthor Commented:
Hi Sembee,

I tried all it mention from the link you provide and the server is shown secured...  However the spam still sending out via our server...  Is there any other possibility on how it happen?  Thanks.
0
SembeeCommented:
Have you changed your administrator account password?
Turned off authenticated relaying?
Did you restart the SMTP Service?

There are very few ways that an Exchange server can be turned in to a relay.

Simon.
0
pcchiuAuthor Commented:
1.  yes just changed the admin password.
2.  Can't turn it off since we need to send email from the server to outside.
3.  Yes restart the SMTP services many time.

Will keep post on how it goes.   Thanks...
0
SembeeCommented:
Are you sure that you understand what authenticated relaying does?
Turning that option off does not stop Exchange from sending email. It just stops smtp/pop3 users from using your server to send email.

If you need to leave it on then you should secure it so that only restricted users can use it.

Have you flushed the queues? Take note what I say in my article about it taking a few passes.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pcchiuAuthor Commented:
Hi Sembee,

1.  Yes there's SMTP/POP3 users sending email via our system...
2.  I follow thru all the steps from your article and right now so far so good(no unknown email send out yet) however most time they send email out around 3am pst...  So I've to wait couple more night and see how it goes.

Thanks.
0
pcchiuAuthor Commented:
Actually changed the administrator password prevent the spam send via our system...  Look like somehow the administrator password was got stolen/hacked...  Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.