Exchange 2003 Message Tracking Center confusion

Posted on 2007-11-26
Medium Priority
Last Modified: 2008-02-29

A user reported that she received an NDR over the weekend. She claims that she did not send the message. I checked her mailbox, deleted items, recovered deleted items, nothing that suggests she sent the message. So I'm thinking it may be spam or she's part of a group she doesn't know about.

I logged onto Exchange (2003 SP2) and opened the message tracking center. I punched in her account and the time frame when the message was sent. It shows the message originating from her, however it's first name.lastname@company.com. All of the other messages show her display name. My understanding is that if you don't see the display name, it's spam.

Here's my question. The firstname.lastname message was shown as being delivered to a lot of people in our organization. Yet when I went to someone to see if they received it, they have no record of it. If this is spam, why would it show up in the Message Tracking Center? We have strict restrictions on what is allowed to connect and relay to our server. I checked those settings again this morning and nothing has changed.

Can someone please tell me why this is showing up in the Message Tracking Center and how concerned, if at all, I should be.

Thanks a lot!
Question by:lucado01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 12

Expert Comment

ID: 20351800
i would check her machine for and bots or nasties that she may have.

Expert Comment

ID: 20351813
Do you allow outbound SMTP mail from inside your LAN or just from the Exchange server?  An e-mail originating from an SMTP client inside the LAN, submitted for relaying with a valid user account (and valid e-mail address) would be allowed out and would not show up with the display name in the tracking center.

Assuming all your internal users are using Outlook and connect to the Exchange server using RPC (not SMTP), there should be no need to accept SMTP traffic from inside the LAN and the Exchange Server (or more properly the firewall) should only allow inbound SMTP traffic from outside the network.  How you do this depends on your firewall.

Using telnet, check to see if you can connect to Exchange SMTP from inside the network.  If you can, turn it off at the firewall unless it's absolutely needed from the desktops.

There are other possibilities, but this is the first one that came to mind.


Author Comment

ID: 20352277
One piece of information I left out is that according to the message tracking center, the domain of the email in the Message ID field ended in an msn.com address. The domain for all other messages sent by this user over the last few days is ours. Is this a spoofed message header from a compromised computer in the network?

NDS - Initial findings suggest everything's OK but I'll take a closer look at the machine.

mdcsea- Not everyone is using Outlook, so we need SMTP internally.

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.


Accepted Solution

mdcsea earned 2000 total points
ID: 20352436
For those users who use SMTP internally, are you ate least requiring the to authenticate to the Exchange Server or can unauthenticated traffic relay as long as it comes from the internal LAN.  Be sure that authentication is required.  More importantly, make sure that only the Exchange Server is allowed to relay out to the internet (firewall configuration) unless your users really need to relay through external servers.  I can't see why that would be the case unless you provide SMTP outbound on your LAN for visitors (not the best idea).

Is it possible this was actually an inbound message that came from msn.com but had this user's e-mail address (spoofed) attached so it showed up in the search?  If it truly was an outbound message, then you have something amiss inside your firewall.  Assuming you're seeing nothing else unexplainable and have found no malware on the user's machine, put a firewall on that user's machine locally and configure it to allow SMTP traffic to only the Exchange server and make sure the user's account requires authentication for SMTP (if this is one of the users' that needs SMTP, otherwise block it.  Check the firewall logs in a few days and see if there were other attempts.

Author Comment

ID: 20352693

-Is it possible this was actually an inbound message that came from msn.com but had this user's e-mail address (spoofed) attached so it showed up in the search?

I guess that was my biggest question, if an address is spoofed, will it show up in the Message Tracking Center search as being sent from the local user? If so, I would be inclined to say that this is just spam.

I will  take your suggestions and see what I can find.

Expert Comment

ID: 20353117
The message tracking logs should contain all inbound and outbound messages through the server.  It might be simpler to parse the log manually - it's a text file.  Or, export it to an Excel sheet to look at it.  Here is a good reference for the field descriptions:  http://support.microsoft.com/kb/246965  and here is a reference for the event IDs:  http://support.microsoft.com/kb/821905  The even IDs will help to know which direction the message was heading.

Author Comment

ID: 20353494

We looked at the logs on our smart host and confirmed that the message was spam and originated from the outside. I didn't know that this would show up in the message tracking center.

Expert Comment

ID: 20353716
The traffic will show up, but not in the MTC.  That's why it's necessary to inspect the logs themselves sometimes.

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question