Exchange 2003 Message Tracking Center confusion

Posted on 2007-11-26
Last Modified: 2008-02-29

A user reported that she received an NDR over the weekend. She claims that she did not send the message. I checked her mailbox, deleted items, recovered deleted items, nothing that suggests she sent the message. So I'm thinking it may be spam or she's part of a group she doesn't know about.

I logged onto Exchange (2003 SP2) and opened the message tracking center. I punched in her account and the time frame when the message was sent. It shows the message originating from her, however it's first All of the other messages show her display name. My understanding is that if you don't see the display name, it's spam.

Here's my question. The firstname.lastname message was shown as being delivered to a lot of people in our organization. Yet when I went to someone to see if they received it, they have no record of it. If this is spam, why would it show up in the Message Tracking Center? We have strict restrictions on what is allowed to connect and relay to our server. I checked those settings again this morning and nothing has changed.

Can someone please tell me why this is showing up in the Message Tracking Center and how concerned, if at all, I should be.

Thanks a lot!
Question by:lucado01
  • 4
  • 3
LVL 12

Expert Comment

ID: 20351800
i would check her machine for and bots or nasties that she may have.

Expert Comment

ID: 20351813
Do you allow outbound SMTP mail from inside your LAN or just from the Exchange server?  An e-mail originating from an SMTP client inside the LAN, submitted for relaying with a valid user account (and valid e-mail address) would be allowed out and would not show up with the display name in the tracking center.

Assuming all your internal users are using Outlook and connect to the Exchange server using RPC (not SMTP), there should be no need to accept SMTP traffic from inside the LAN and the Exchange Server (or more properly the firewall) should only allow inbound SMTP traffic from outside the network.  How you do this depends on your firewall.

Using telnet, check to see if you can connect to Exchange SMTP from inside the network.  If you can, turn it off at the firewall unless it's absolutely needed from the desktops.

There are other possibilities, but this is the first one that came to mind.


Author Comment

ID: 20352277
One piece of information I left out is that according to the message tracking center, the domain of the email in the Message ID field ended in an address. The domain for all other messages sent by this user over the last few days is ours. Is this a spoofed message header from a compromised computer in the network?

NDS - Initial findings suggest everything's OK but I'll take a closer look at the machine.

mdcsea- Not everyone is using Outlook, so we need SMTP internally.


Accepted Solution

mdcsea earned 500 total points
ID: 20352436
For those users who use SMTP internally, are you ate least requiring the to authenticate to the Exchange Server or can unauthenticated traffic relay as long as it comes from the internal LAN.  Be sure that authentication is required.  More importantly, make sure that only the Exchange Server is allowed to relay out to the internet (firewall configuration) unless your users really need to relay through external servers.  I can't see why that would be the case unless you provide SMTP outbound on your LAN for visitors (not the best idea).

Is it possible this was actually an inbound message that came from but had this user's e-mail address (spoofed) attached so it showed up in the search?  If it truly was an outbound message, then you have something amiss inside your firewall.  Assuming you're seeing nothing else unexplainable and have found no malware on the user's machine, put a firewall on that user's machine locally and configure it to allow SMTP traffic to only the Exchange server and make sure the user's account requires authentication for SMTP (if this is one of the users' that needs SMTP, otherwise block it.  Check the firewall logs in a few days and see if there were other attempts.
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!


Author Comment

ID: 20352693

-Is it possible this was actually an inbound message that came from but had this user's e-mail address (spoofed) attached so it showed up in the search?

I guess that was my biggest question, if an address is spoofed, will it show up in the Message Tracking Center search as being sent from the local user? If so, I would be inclined to say that this is just spam.

I will  take your suggestions and see what I can find.

Expert Comment

ID: 20353117
The message tracking logs should contain all inbound and outbound messages through the server.  It might be simpler to parse the log manually - it's a text file.  Or, export it to an Excel sheet to look at it.  Here is a good reference for the field descriptions:  and here is a reference for the event IDs:  The even IDs will help to know which direction the message was heading.

Author Comment

ID: 20353494

We looked at the logs on our smart host and confirmed that the message was spam and originated from the outside. I didn't know that this would show up in the message tracking center.

Expert Comment

ID: 20353716
The traffic will show up, but not in the MTC.  That's why it's necessary to inspect the logs themselves sometimes.

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now