asked on

email spoofed?

Not sure if someone spoofed our domain and used my exchange server to send out tons of emails, but that's what it looks like to me what happened. I have attached a screenshot of the logs from my exchange server 2007 SP2. For some reason, the system won't let me download them, but my exchange server is telling me that an email address from my domain, which the email does exist in AD, sent out thousands of emails a few days ago.

How could this be, because no one actually has the email in question, it's just used to receive certain emails at. How can I research this fruther to see if someone hacked into my system or to see what happened.

Any help with this will be much appreciated.
exchangeerrors.jpg

rparsons1000

Is the client IP a workstation? It's possible a virus was downloaded and is sending emails. If so I would isolate it, run virus scans and even use a sniffer like Wire Shark or something to watch it.

Since the address is good on your side, I'd expect Exchange to send it if the client is authenticated.

Dan

ASKER

The client IP listed is my exchange server. That's the frusstrating part, it doesn't show me the actualy client (computer) IP address, but only the IP address of my exchange server. I have Panda Antivirus on the server, but it doesn't show that it has a virus, but I'll run the scan and perhaps try a few other scans on it as well using different antivirus software.

ASKER CERTIFIED SOLUTION

rparsons1000

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Dan

ASKER

So to what mailbox would I deny outbound external mail for?
The link you referenced was for 2003, but I have 2007 SP2 installed.
How do I setup journaling for that internal address to monitor, I'm not sure what you mean by that?

Dan

ASKER

Thanks for your help, the problem wasn't solved, but I need to close the ticket.