email spoofed?

Posted on 2009-12-22
Medium Priority
Last Modified: 2012-05-08
Not sure if someone spoofed our domain and used my exchange server to send out tons of emails, but that's what it looks like to me what happened.  I have attached a screenshot of the logs from my exchange server 2007 SP2.  For some reason, the system won't let me download them, but my exchange server is telling me that an email address from my domain, which the email does exist in AD, sent out thousands of emails a few days ago.

How could this be, because no one actually has the email in question, it's just used to receive certain emails at.  How can I research this fruther to see if someone hacked into my system or to see what happened.

Any help with this will be much appreciated.
Question by:afacts
  • 3
  • 2

Expert Comment

ID: 26109849
Is the client IP a workstation? It's possible a virus was downloaded and is sending emails. If so I would isolate it, run virus scans and even use a sniffer like Wire Shark or something to watch it.

Since the address is good on your side, I'd expect Exchange to send it if the client is authenticated.

Author Comment

ID: 26109857
The client IP listed is my exchange server.  That's the frusstrating part, it doesn't show me the actualy client (computer) IP address, but only the IP address of my exchange server.  I have Panda Antivirus on the server, but it doesn't show that it has a virus, but I'll run the scan and perhaps try a few other scans on it as well using different antivirus software.

Accepted Solution

rparsons1000 earned 2000 total points
ID: 26110162
I looked at my message logs and client IP does show the IP of the sever. I never noticed that before but have never needed to check it in nearly 2 years.

A couple things you coud do to prevent a future outburst is:

Deny outbound external email for the mailbox since it is incoming only

And may setup journaling for the internal address to monitor for a bit. If it continues, I am unsure what to do if it continues other than capture the traffic to determine the offending system.

Author Comment

ID: 26176721
So to what mailbox would I deny outbound external mail for?
The link you referenced was for 2003, but I have 2007 SP2 installed.
How do I setup journaling for that internal address to monitor, I'm not sure what you mean by that?

Author Closing Comment

ID: 31669273
Thanks for your help, the problem wasn't solved, but I need to close the ticket.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question