Email messages sent that look like spam

Posted on 2007-11-15
Last Modified: 2010-05-18
Checked message tracking and noticed emails with abnormal(spam type) subjects being sent from domain users accounts. Some messages went to external email address and some others the sender and the reciepent were the same domain user. I checked the users sent items from their outlook profiles and those sent items were not there. I ran CA antivirus complete scan, nothing found, same with Symantec AV and panda online. Also scanned desktops. Nothing found. These email have been sent at random times, from several different users mailboxes and with different subjects. Cant figure out where they are originating.
Question by:tmharris09
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 63

Expert Comment

ID: 20296360
SOmeone is probably spoofing your user addresses.

That is what spammers do.

These probably came from the outside , not the inside.

Else, you have some malware doing this on your LAN.

I hope this helps !

Expert Comment

ID: 20296651
It's all are comes from outside, check IMF security zone and also check if your SMTP might have open relay.

Author Comment

ID: 20298839
How can the messages be sent from the outside if when i view items being sent from that user the spams show up. Message tracking tool does not know the difference if its a spoofed address? Another thing I should note is that, this IP was blacklisted for spam. I do believe there is something on the inside but how do i find it. Server is not an open relay
LVL 63

Accepted Solution

SysExpert earned 500 total points
ID: 20300083
You may need to do network packet analysis, or use something like Hijackthis logging on each machine to look for malware.

malware - Leetutor list
Have you tried running virus scans and spyware scans  This could be a problem with viruses/trojans/spyware or other malware. Some free online virus scanners:

Also try these free programs to rid your system of spyware, trojans, and other malware:
Spybot - Search & Destroy
LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.

Another very good freeware program for ridding yourself of spyware is this:

You might also try this free program (HijackThis) -- install it in its own folder, don't download to your Desktop:

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:

and it will be automatically analyzed for you (after you click on the button labeled "Analyze" near the bottom of the page), telling you which entries (called "Nasty") should be fixed.  You will also be told if you have any items that are "Possibly Nasty", or "Unnecessary", or "Unknown". If you don't know what to do about these, you might find something on the module name by doing a Google search of the internet.

If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  right above the Analyze button you will see this message: "The following analyses has been stored temporarily", and there will be a link where the analysis file will be saved (for a period of three days). Click on it and then copy the link of that page from the address bar of your browser and paste it here, and experts can check it for you.  (Please DON'T post the entire log itself in your question.)

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:
HijackThis Quick Start
HijackThis log tutorial

I hope this helps !

Author Comment

ID: 20302321
Blocked outbound port 25 on firewall except for server, checked logs, and found ip address of machine hitting port 25. CA av did not pick up but Symantec AV found it. Trojan.pandex was the culprit.

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question