Getting Spam from me to myself

I'm getting alot messages from me to myself, We have an exchange server 2003 and I have checked our exchange server isn't mail relay using the website
Relay test result
All tests performed, no relays accepted.

Email from:
Email to:

Here is the outlook headers

Microsoft Mail Internet Headers Version 2.0
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.3959);
       Tue, 11 Nov 2008 17:33:20 +0000
X-EC0D2A8E-5CB7-4969-9C36-46D859D137BE-PartID: DB7DB1B8-1F06-4D54-A013-FA2437D6F194
thread-index: AclEI5Kg3dtUbOPYTkuF7Ta835i8qA==
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.0); Tue, 11 Nov 2008 17:33:11 +0000
Content-Transfer-Encoding: 7bit
To: <>
Content-Class: urn:content-classes:message
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Subject: Your private life compromised
From: <>
MIME-Version: 1.0
Importance: High
Content-Type: text/html;
Return-Path: <>
Message-ID: <>
X-OriginalArrivalTime: 11 Nov 2008 17:33:12.0378 (UTC) FILETIME=[922DA9A0:01C94423]
Date: 11 Nov 2008 17:33:12 +0000

Also there are other users that have the same problem ( getting spam from their own email address)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hedley PhillipsOwnerCommented:

Sounds like it is a case of spoofing.

You could set Exchange to not accept messages for non existant users:

and run through these:

a) Check the mail smtp queues in Exchange System Manager to see if there is unusual activity.

b) Do a DNS test at

c) See if you are blacklisted at

d)  In case you need to secure your server:

e) Run a virus check on the clients.

f) Enable Message tracking and check through the logs to confirm that the emails were not sent by your server.
Hedley PhillipsOwnerCommented:
We have Message tracking on permanently as I find it very useful. I don't use the built in Message Tracking Centre in ESM - Tools but prefer to read through the actual logs myself.

GuildOfDruidsAuthor Commented:
Thanks for you response

Filter Out Mail to Non-Existent Users is already checked plus I'm using GFI mailessentials and have enabled Directory Harvest option, actioned to delete messages destined to non-existent users.

a) Here is my smtp queue, looks fine to me.

b) No Critical DNS, MX errors

c) Not Blacklisted in any server

d) Mached with both the links (no problem)

e) Nod32 is running on exchange and on every client. (10 clients)

f) Can I find via message tracking the reason of these kind of emails? can't it says same thing in outlook mail header?


Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Hedley PhillipsOwnerCommented:
I would relax and forget about it then.

Spoofing comes in waves, you will find that it clears up fairly soon until the next batch. Blacklists aren't fooled by the spoof so you won't get added to their lists.

GFI is a good bit of software and the Directory harvesting works well. Do you have it set at header level or email body as the latest version allows you to kill the spam at the header level thus reducing the load on your server.

Regarding f) you should be able to see in your logs Exchange server logs the source mail server for the emails. If you want, paste an excerpt from them so we can have a look. I imagine you will only see the incoming mails and nothing goin gout.
to really get rid of spam, both from your own address, and the trillion of others you really only have two options.

1.  a device on your own network such as the sonicwall email security appliance
2.  a hosted solutions such as mxlogic.

GuildOfDruidsAuthor Commented:
Here is message tracking log of the email from me to myself.

2008-11-13      13:12:12 GMT      -      mailserver      1019      0      0      7682      1      2008-11-13 13:12:12 GMT      0      Version: 6.0.3790.3959      -      -

how can i stop emails like these?

Hedley PhillipsOwnerCommented:
In Exchange an email from you to you would not route out to it would stay inside the building and look like:

2008-11-14      9:45:28 GMT      -      -      -      EXCHANGE1      -      /O=DOMAIN/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=USERNAME      1027      ACB1BAB90DC835499689E200CA2C999244F00C@exchange1.DOMAIN.local      0      0      1235      1      2008-11-14 9:45:28 GMT      0      -      c=US;a= ;p=DOMAIN;l=EXCHANGE1-081114094528Z-139      FUCK      EX:/O=DOMAIN/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=USERNAME      -

The only way to stamp on these is to configure your GFI and tighten it up. We use the same software as you and don't get any of these so I can only assume we have our GFI locked down tighter.

Make sure you have all the different filters set and also I would also recommend setting SPF on your DNS records.


This has really helped cut down on spam.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hedley PhillipsOwnerCommented:

how are you progressing with this?
GuildOfDruidsAuthor Commented:
My GFI is set to a balanced settings, If I tightened it more up I could block some legitimate emails and vice versa. But I cant do anything about email from me to myself. I thought there would be some different settings for such case. I'm sure the spammers alter the heading because you are right these are being route from (example)

I do have the SPF settings and .... hang on, let me paste those settings may there is something wrong in it.

v=spf1 mx -all

I do have the GFI Sender Policy Framework set to Low, but as I said making this option more tightened can cause some clients email being filtered.

Anyway thanks for your above email which clarified that these ain't triggered from my exchange server.

Hedley PhillipsOwnerCommented:

are you happy to close this question down and assign points?
GuildOfDruidsAuthor Commented:
just last thing, Is there anything wrong in the spf i'm using?

v=spf1 mx -all

Hedley PhillipsOwnerCommented:
That is correct.

The -all means that no other servers can send mail with a hard fail. If you sued a ~ this would give a soft fail
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.