Email messages sent that look like spam

Posted on 2007-11-15
Last Modified: 2010-05-18
Checked message tracking and noticed emails with abnormal(spam type) subjects being sent from domain users accounts. Some messages went to external email address and some others the sender and the reciepent were the same domain user. I checked the users sent items from their outlook profiles and those sent items were not there. I ran CA antivirus complete scan, nothing found, same with Symantec AV and panda online. Also scanned desktops. Nothing found. These email have been sent at random times, from several different users mailboxes and with different subjects. Cant figure out where they are originating.
Question by:tmharris09
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 63

Expert Comment

ID: 20296360
SOmeone is probably spoofing your user addresses.

That is what spammers do.

These probably came from the outside , not the inside.

Else, you have some malware doing this on your LAN.

I hope this helps !

Expert Comment

ID: 20296651
It's all are comes from outside, check IMF security zone and also check if your SMTP might have open relay.

Author Comment

ID: 20298839
How can the messages be sent from the outside if when i view items being sent from that user the spams show up. Message tracking tool does not know the difference if its a spoofed address? Another thing I should note is that, this IP was blacklisted for spam. I do believe there is something on the inside but how do i find it. Server is not an open relay
LVL 63

Accepted Solution

SysExpert earned 500 total points
ID: 20300083
You may need to do network packet analysis, or use something like Hijackthis logging on each machine to look for malware.

malware - Leetutor list
Have you tried running virus scans and spyware scans  This could be a problem with viruses/trojans/spyware or other malware. Some free online virus scanners:

Also try these free programs to rid your system of spyware, trojans, and other malware:
Spybot - Search & Destroy
LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.

Another very good freeware program for ridding yourself of spyware is this:

You might also try this free program (HijackThis) -- install it in its own folder, don't download to your Desktop:

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:

and it will be automatically analyzed for you (after you click on the button labeled "Analyze" near the bottom of the page), telling you which entries (called "Nasty") should be fixed.  You will also be told if you have any items that are "Possibly Nasty", or "Unnecessary", or "Unknown". If you don't know what to do about these, you might find something on the module name by doing a Google search of the internet.

If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  right above the Analyze button you will see this message: "The following analyses has been stored temporarily", and there will be a link where the analysis file will be saved (for a period of three days). Click on it and then copy the link of that page from the address bar of your browser and paste it here, and experts can check it for you.  (Please DON'T post the entire log itself in your question.)

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:
HijackThis Quick Start
HijackThis log tutorial

I hope this helps !

Author Comment

ID: 20302321
Blocked outbound port 25 on firewall except for server, checked logs, and found ip address of machine hitting port 25. CA av did not pick up but Symantec AV found it. Trojan.pandex was the culprit.

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question