• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1731
  • Last Modified:

Exchange 2003 Message Tracking Center confusion

Hello,

A user reported that she received an NDR over the weekend. She claims that she did not send the message. I checked her mailbox, deleted items, recovered deleted items, nothing that suggests she sent the message. So I'm thinking it may be spam or she's part of a group she doesn't know about.

I logged onto Exchange (2003 SP2) and opened the message tracking center. I punched in her account and the time frame when the message was sent. It shows the message originating from her, however it's first name.lastname@company.com. All of the other messages show her display name. My understanding is that if you don't see the display name, it's spam.

Here's my question. The firstname.lastname message was shown as being delivered to a lot of people in our organization. Yet when I went to someone to see if they received it, they have no record of it. If this is spam, why would it show up in the Message Tracking Center? We have strict restrictions on what is allowed to connect and relay to our server. I checked those settings again this morning and nothing has changed.

Can someone please tell me why this is showing up in the Message Tracking Center and how concerned, if at all, I should be.

Thanks a lot!
0
lucado01
Asked:
lucado01
  • 4
  • 3
1 Solution
 
Network_Data_SupportCommented:
i would check her machine for and bots or nasties that she may have.
0
 
mdcseaCommented:
Do you allow outbound SMTP mail from inside your LAN or just from the Exchange server?  An e-mail originating from an SMTP client inside the LAN, submitted for relaying with a valid user account (and valid e-mail address) would be allowed out and would not show up with the display name in the tracking center.

Assuming all your internal users are using Outlook and connect to the Exchange server using RPC (not SMTP), there should be no need to accept SMTP traffic from inside the LAN and the Exchange Server (or more properly the firewall) should only allow inbound SMTP traffic from outside the network.  How you do this depends on your firewall.

Using telnet, check to see if you can connect to Exchange SMTP from inside the network.  If you can, turn it off at the firewall unless it's absolutely needed from the desktops.

There are other possibilities, but this is the first one that came to mind.

HTH!
0
 
lucado01Author Commented:
One piece of information I left out is that according to the message tracking center, the domain of the email in the Message ID field ended in an msn.com address. The domain for all other messages sent by this user over the last few days is ours. Is this a spoofed message header from a compromised computer in the network?

NDS - Initial findings suggest everything's OK but I'll take a closer look at the machine.

mdcsea- Not everyone is using Outlook, so we need SMTP internally.

Thanks!
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
mdcseaCommented:
For those users who use SMTP internally, are you ate least requiring the to authenticate to the Exchange Server or can unauthenticated traffic relay as long as it comes from the internal LAN.  Be sure that authentication is required.  More importantly, make sure that only the Exchange Server is allowed to relay out to the internet (firewall configuration) unless your users really need to relay through external servers.  I can't see why that would be the case unless you provide SMTP outbound on your LAN for visitors (not the best idea).

Is it possible this was actually an inbound message that came from msn.com but had this user's e-mail address (spoofed) attached so it showed up in the search?  If it truly was an outbound message, then you have something amiss inside your firewall.  Assuming you're seeing nothing else unexplainable and have found no malware on the user's machine, put a firewall on that user's machine locally and configure it to allow SMTP traffic to only the Exchange server and make sure the user's account requires authentication for SMTP (if this is one of the users' that needs SMTP, otherwise block it.  Check the firewall logs in a few days and see if there were other attempts.
0
 
lucado01Author Commented:
mdcsea,

-Is it possible this was actually an inbound message that came from msn.com but had this user's e-mail address (spoofed) attached so it showed up in the search?

I guess that was my biggest question, if an address is spoofed, will it show up in the Message Tracking Center search as being sent from the local user? If so, I would be inclined to say that this is just spam.

I will  take your suggestions and see what I can find.
0
 
mdcseaCommented:
The message tracking logs should contain all inbound and outbound messages through the server.  It might be simpler to parse the log manually - it's a text file.  Or, export it to an Excel sheet to look at it.  Here is a good reference for the field descriptions:  http://support.microsoft.com/kb/246965  and here is a reference for the event IDs:  http://support.microsoft.com/kb/821905  The even IDs will help to know which direction the message was heading.
0
 
lucado01Author Commented:
mdcsea,

We looked at the logs on our smart host and confirmed that the message was spam and originated from the outside. I didn't know that this would show up in the message tracking center.
0
 
mdcseaCommented:
The traffic will show up, but not in the MTC.  That's why it's necessary to inspect the logs themselves sometimes.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now