Exchange 2003 Message Tracking Center confusion

Posted on 2007-11-26
Last Modified: 2008-02-29

A user reported that she received an NDR over the weekend. She claims that she did not send the message. I checked her mailbox, deleted items, recovered deleted items, nothing that suggests she sent the message. So I'm thinking it may be spam or she's part of a group she doesn't know about.

I logged onto Exchange (2003 SP2) and opened the message tracking center. I punched in her account and the time frame when the message was sent. It shows the message originating from her, however it's first All of the other messages show her display name. My understanding is that if you don't see the display name, it's spam.

Here's my question. The firstname.lastname message was shown as being delivered to a lot of people in our organization. Yet when I went to someone to see if they received it, they have no record of it. If this is spam, why would it show up in the Message Tracking Center? We have strict restrictions on what is allowed to connect and relay to our server. I checked those settings again this morning and nothing has changed.

Can someone please tell me why this is showing up in the Message Tracking Center and how concerned, if at all, I should be.

Thanks a lot!
Question by:lucado01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 12

Expert Comment

ID: 20351800
i would check her machine for and bots or nasties that she may have.

Expert Comment

ID: 20351813
Do you allow outbound SMTP mail from inside your LAN or just from the Exchange server?  An e-mail originating from an SMTP client inside the LAN, submitted for relaying with a valid user account (and valid e-mail address) would be allowed out and would not show up with the display name in the tracking center.

Assuming all your internal users are using Outlook and connect to the Exchange server using RPC (not SMTP), there should be no need to accept SMTP traffic from inside the LAN and the Exchange Server (or more properly the firewall) should only allow inbound SMTP traffic from outside the network.  How you do this depends on your firewall.

Using telnet, check to see if you can connect to Exchange SMTP from inside the network.  If you can, turn it off at the firewall unless it's absolutely needed from the desktops.

There are other possibilities, but this is the first one that came to mind.


Author Comment

ID: 20352277
One piece of information I left out is that according to the message tracking center, the domain of the email in the Message ID field ended in an address. The domain for all other messages sent by this user over the last few days is ours. Is this a spoofed message header from a compromised computer in the network?

NDS - Initial findings suggest everything's OK but I'll take a closer look at the machine.

mdcsea- Not everyone is using Outlook, so we need SMTP internally.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Accepted Solution

mdcsea earned 500 total points
ID: 20352436
For those users who use SMTP internally, are you ate least requiring the to authenticate to the Exchange Server or can unauthenticated traffic relay as long as it comes from the internal LAN.  Be sure that authentication is required.  More importantly, make sure that only the Exchange Server is allowed to relay out to the internet (firewall configuration) unless your users really need to relay through external servers.  I can't see why that would be the case unless you provide SMTP outbound on your LAN for visitors (not the best idea).

Is it possible this was actually an inbound message that came from but had this user's e-mail address (spoofed) attached so it showed up in the search?  If it truly was an outbound message, then you have something amiss inside your firewall.  Assuming you're seeing nothing else unexplainable and have found no malware on the user's machine, put a firewall on that user's machine locally and configure it to allow SMTP traffic to only the Exchange server and make sure the user's account requires authentication for SMTP (if this is one of the users' that needs SMTP, otherwise block it.  Check the firewall logs in a few days and see if there were other attempts.

Author Comment

ID: 20352693

-Is it possible this was actually an inbound message that came from but had this user's e-mail address (spoofed) attached so it showed up in the search?

I guess that was my biggest question, if an address is spoofed, will it show up in the Message Tracking Center search as being sent from the local user? If so, I would be inclined to say that this is just spam.

I will  take your suggestions and see what I can find.

Expert Comment

ID: 20353117
The message tracking logs should contain all inbound and outbound messages through the server.  It might be simpler to parse the log manually - it's a text file.  Or, export it to an Excel sheet to look at it.  Here is a good reference for the field descriptions:  and here is a reference for the event IDs:  The even IDs will help to know which direction the message was heading.

Author Comment

ID: 20353494

We looked at the logs on our smart host and confirmed that the message was spam and originated from the outside. I didn't know that this would show up in the message tracking center.

Expert Comment

ID: 20353716
The traffic will show up, but not in the MTC.  That's why it's necessary to inspect the logs themselves sometimes.

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question