Getting Spam from me to myself

I'm getting alot messages from me to myself, We have an exchange server 2003 and I have checked our exchange server isn't mail relay using the website
Relay test result
All tests performed, no relays accepted.

Email from:
Email to:

Here is the outlook headers

Microsoft Mail Internet Headers Version 2.0
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.3959);
       Tue, 11 Nov 2008 17:33:20 +0000
X-EC0D2A8E-5CB7-4969-9C36-46D859D137BE-PartID: DB7DB1B8-1F06-4D54-A013-FA2437D6F194
thread-index: AclEI5Kg3dtUbOPYTkuF7Ta835i8qA==
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.0); Tue, 11 Nov 2008 17:33:11 +0000
Content-Transfer-Encoding: 7bit
To: <>
Content-Class: urn:content-classes:message
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Subject: Your private life compromised
From: <>
MIME-Version: 1.0
Importance: High
Content-Type: text/html;
Return-Path: <>
Message-ID: <>
X-OriginalArrivalTime: 11 Nov 2008 17:33:12.0378 (UTC) FILETIME=[922DA9A0:01C94423]
Date: 11 Nov 2008 17:33:12 +0000

Also there are other users that have the same problem ( getting spam from their own email address)

Who is Participating?
Hedley PhillipsConnect With a Mentor OwnerCommented:
In Exchange an email from you to you would not route out to it would stay inside the building and look like:

2008-11-14      9:45:28 GMT      -      -      -      EXCHANGE1      -      /O=DOMAIN/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=USERNAME      1027      ACB1BAB90DC835499689E200CA2C999244F00C@exchange1.DOMAIN.local      0      0      1235      1      2008-11-14 9:45:28 GMT      0      -      c=US;a= ;p=DOMAIN;l=EXCHANGE1-081114094528Z-139      FUCK      EX:/O=DOMAIN/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=USERNAME      -

The only way to stamp on these is to configure your GFI and tighten it up. We use the same software as you and don't get any of these so I can only assume we have our GFI locked down tighter.

Make sure you have all the different filters set and also I would also recommend setting SPF on your DNS records.


This has really helped cut down on spam.

Hedley PhillipsOwnerCommented:

Sounds like it is a case of spoofing.

You could set Exchange to not accept messages for non existant users:

and run through these:

a) Check the mail smtp queues in Exchange System Manager to see if there is unusual activity.

b) Do a DNS test at

c) See if you are blacklisted at

d)  In case you need to secure your server:

e) Run a virus check on the clients.

f) Enable Message tracking and check through the logs to confirm that the emails were not sent by your server.
Hedley PhillipsOwnerCommented:
We have Message tracking on permanently as I find it very useful. I don't use the built in Message Tracking Centre in ESM - Tools but prefer to read through the actual logs myself.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

GuildOfDruidsAuthor Commented:
Thanks for you response

Filter Out Mail to Non-Existent Users is already checked plus I'm using GFI mailessentials and have enabled Directory Harvest option, actioned to delete messages destined to non-existent users.

a) Here is my smtp queue, looks fine to me.

b) No Critical DNS, MX errors

c) Not Blacklisted in any server

d) Mached with both the links (no problem)

e) Nod32 is running on exchange and on every client. (10 clients)

f) Can I find via message tracking the reason of these kind of emails? can't it says same thing in outlook mail header?


Hedley PhillipsOwnerCommented:
I would relax and forget about it then.

Spoofing comes in waves, you will find that it clears up fairly soon until the next batch. Blacklists aren't fooled by the spoof so you won't get added to their lists.

GFI is a good bit of software and the Directory harvesting works well. Do you have it set at header level or email body as the latest version allows you to kill the spam at the header level thus reducing the load on your server.

Regarding f) you should be able to see in your logs Exchange server logs the source mail server for the emails. If you want, paste an excerpt from them so we can have a look. I imagine you will only see the incoming mails and nothing goin gout.
to really get rid of spam, both from your own address, and the trillion of others you really only have two options.

1.  a device on your own network such as the sonicwall email security appliance
2.  a hosted solutions such as mxlogic.

GuildOfDruidsAuthor Commented:
Here is message tracking log of the email from me to myself.

2008-11-13      13:12:12 GMT      -      mailserver      1019      0      0      7682      1      2008-11-13 13:12:12 GMT      0      Version: 6.0.3790.3959      -      -

how can i stop emails like these?

Hedley PhillipsOwnerCommented:

how are you progressing with this?
GuildOfDruidsAuthor Commented:
My GFI is set to a balanced settings, If I tightened it more up I could block some legitimate emails and vice versa. But I cant do anything about email from me to myself. I thought there would be some different settings for such case. I'm sure the spammers alter the heading because you are right these are being route from (example)

I do have the SPF settings and .... hang on, let me paste those settings may there is something wrong in it.

v=spf1 mx -all

I do have the GFI Sender Policy Framework set to Low, but as I said making this option more tightened can cause some clients email being filtered.

Anyway thanks for your above email which clarified that these ain't triggered from my exchange server.

Hedley PhillipsOwnerCommented:

are you happy to close this question down and assign points?
GuildOfDruidsAuthor Commented:
just last thing, Is there anything wrong in the spf i'm using?

v=spf1 mx -all

Hedley PhillipsOwnerCommented:
That is correct.

The -all means that no other servers can send mail with a hard fail. If you sued a ~ this would give a soft fail
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.