email spoofed?

Not sure if someone spoofed our domain and used my exchange server to send out tons of emails, but that's what it looks like to me what happened.  I have attached a screenshot of the logs from my exchange server 2007 SP2.  For some reason, the system won't let me download them, but my exchange server is telling me that an email address from my domain, which the email does exist in AD, sent out thousands of emails a few days ago.

How could this be, because no one actually has the email in question, it's just used to receive certain emails at.  How can I research this fruther to see if someone hacked into my system or to see what happened.

Any help with this will be much appreciated.
DanNetwork EngineerAsked:
Who is Participating?
rparsons1000Connect With a Mentor Commented:
I looked at my message logs and client IP does show the IP of the sever. I never noticed that before but have never needed to check it in nearly 2 years.

A couple things you coud do to prevent a future outburst is:

Deny outbound external email for the mailbox since it is incoming only

And may setup journaling for the internal address to monitor for a bit. If it continues, I am unsure what to do if it continues other than capture the traffic to determine the offending system.
Is the client IP a workstation? It's possible a virus was downloaded and is sending emails. If so I would isolate it, run virus scans and even use a sniffer like Wire Shark or something to watch it.

Since the address is good on your side, I'd expect Exchange to send it if the client is authenticated.
DanNetwork EngineerAuthor Commented:
The client IP listed is my exchange server.  That's the frusstrating part, it doesn't show me the actualy client (computer) IP address, but only the IP address of my exchange server.  I have Panda Antivirus on the server, but it doesn't show that it has a virus, but I'll run the scan and perhaps try a few other scans on it as well using different antivirus software.
DanNetwork EngineerAuthor Commented:
So to what mailbox would I deny outbound external mail for?
The link you referenced was for 2003, but I have 2007 SP2 installed.
How do I setup journaling for that internal address to monitor, I'm not sure what you mean by that?
DanNetwork EngineerAuthor Commented:
Thanks for your help, the problem wasn't solved, but I need to close the ticket.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.