Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2003 Message Tracking Center confusion

Posted on 2007-11-26
8
Medium Priority
?
1,728 Views
Last Modified: 2008-02-29
Hello,

A user reported that she received an NDR over the weekend. She claims that she did not send the message. I checked her mailbox, deleted items, recovered deleted items, nothing that suggests she sent the message. So I'm thinking it may be spam or she's part of a group she doesn't know about.

I logged onto Exchange (2003 SP2) and opened the message tracking center. I punched in her account and the time frame when the message was sent. It shows the message originating from her, however it's first name.lastname@company.com. All of the other messages show her display name. My understanding is that if you don't see the display name, it's spam.

Here's my question. The firstname.lastname message was shown as being delivered to a lot of people in our organization. Yet when I went to someone to see if they received it, they have no record of it. If this is spam, why would it show up in the Message Tracking Center? We have strict restrictions on what is allowed to connect and relay to our server. I checked those settings again this morning and nothing has changed.

Can someone please tell me why this is showing up in the Message Tracking Center and how concerned, if at all, I should be.

Thanks a lot!
0
Comment
Question by:lucado01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:Network_Data_Support
ID: 20351800
i would check her machine for and bots or nasties that she may have.
0
 
LVL 4

Expert Comment

by:mdcsea
ID: 20351813
Do you allow outbound SMTP mail from inside your LAN or just from the Exchange server?  An e-mail originating from an SMTP client inside the LAN, submitted for relaying with a valid user account (and valid e-mail address) would be allowed out and would not show up with the display name in the tracking center.

Assuming all your internal users are using Outlook and connect to the Exchange server using RPC (not SMTP), there should be no need to accept SMTP traffic from inside the LAN and the Exchange Server (or more properly the firewall) should only allow inbound SMTP traffic from outside the network.  How you do this depends on your firewall.

Using telnet, check to see if you can connect to Exchange SMTP from inside the network.  If you can, turn it off at the firewall unless it's absolutely needed from the desktops.

There are other possibilities, but this is the first one that came to mind.

HTH!
0
 

Author Comment

by:lucado01
ID: 20352277
One piece of information I left out is that according to the message tracking center, the domain of the email in the Message ID field ended in an msn.com address. The domain for all other messages sent by this user over the last few days is ours. Is this a spoofed message header from a compromised computer in the network?

NDS - Initial findings suggest everything's OK but I'll take a closer look at the machine.

mdcsea- Not everyone is using Outlook, so we need SMTP internally.

Thanks!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 4

Accepted Solution

by:
mdcsea earned 2000 total points
ID: 20352436
For those users who use SMTP internally, are you ate least requiring the to authenticate to the Exchange Server or can unauthenticated traffic relay as long as it comes from the internal LAN.  Be sure that authentication is required.  More importantly, make sure that only the Exchange Server is allowed to relay out to the internet (firewall configuration) unless your users really need to relay through external servers.  I can't see why that would be the case unless you provide SMTP outbound on your LAN for visitors (not the best idea).

Is it possible this was actually an inbound message that came from msn.com but had this user's e-mail address (spoofed) attached so it showed up in the search?  If it truly was an outbound message, then you have something amiss inside your firewall.  Assuming you're seeing nothing else unexplainable and have found no malware on the user's machine, put a firewall on that user's machine locally and configure it to allow SMTP traffic to only the Exchange server and make sure the user's account requires authentication for SMTP (if this is one of the users' that needs SMTP, otherwise block it.  Check the firewall logs in a few days and see if there were other attempts.
0
 

Author Comment

by:lucado01
ID: 20352693
mdcsea,

-Is it possible this was actually an inbound message that came from msn.com but had this user's e-mail address (spoofed) attached so it showed up in the search?

I guess that was my biggest question, if an address is spoofed, will it show up in the Message Tracking Center search as being sent from the local user? If so, I would be inclined to say that this is just spam.

I will  take your suggestions and see what I can find.
0
 
LVL 4

Expert Comment

by:mdcsea
ID: 20353117
The message tracking logs should contain all inbound and outbound messages through the server.  It might be simpler to parse the log manually - it's a text file.  Or, export it to an Excel sheet to look at it.  Here is a good reference for the field descriptions:  http://support.microsoft.com/kb/246965  and here is a reference for the event IDs:  http://support.microsoft.com/kb/821905  The even IDs will help to know which direction the message was heading.
0
 

Author Comment

by:lucado01
ID: 20353494
mdcsea,

We looked at the logs on our smart host and confirmed that the message was spam and originated from the outside. I didn't know that this would show up in the message tracking center.
0
 
LVL 4

Expert Comment

by:mdcsea
ID: 20353716
The traffic will show up, but not in the MTC.  That's why it's necessary to inspect the logs themselves sometimes.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question