email spoofed?

Posted on 2009-12-22
Last Modified: 2012-05-08
Not sure if someone spoofed our domain and used my exchange server to send out tons of emails, but that's what it looks like to me what happened.  I have attached a screenshot of the logs from my exchange server 2007 SP2.  For some reason, the system won't let me download them, but my exchange server is telling me that an email address from my domain, which the email does exist in AD, sent out thousands of emails a few days ago.

How could this be, because no one actually has the email in question, it's just used to receive certain emails at.  How can I research this fruther to see if someone hacked into my system or to see what happened.

Any help with this will be much appreciated.
Question by:afacts
    LVL 5

    Expert Comment

    Is the client IP a workstation? It's possible a virus was downloaded and is sending emails. If so I would isolate it, run virus scans and even use a sniffer like Wire Shark or something to watch it.

    Since the address is good on your side, I'd expect Exchange to send it if the client is authenticated.

    Author Comment

    The client IP listed is my exchange server.  That's the frusstrating part, it doesn't show me the actualy client (computer) IP address, but only the IP address of my exchange server.  I have Panda Antivirus on the server, but it doesn't show that it has a virus, but I'll run the scan and perhaps try a few other scans on it as well using different antivirus software.
    LVL 5

    Accepted Solution

    I looked at my message logs and client IP does show the IP of the sever. I never noticed that before but have never needed to check it in nearly 2 years.

    A couple things you coud do to prevent a future outburst is:

    Deny outbound external email for the mailbox since it is incoming only

    And may setup journaling for the internal address to monitor for a bit. If it continues, I am unsure what to do if it continues other than capture the traffic to determine the offending system.

    Author Comment

    So to what mailbox would I deny outbound external mail for?
    The link you referenced was for 2003, but I have 2007 SP2 installed.
    How do I setup journaling for that internal address to monitor, I'm not sure what you mean by that?

    Author Closing Comment

    Thanks for your help, the problem wasn't solved, but I need to close the ticket.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Easy CSR creation in Exchange 2007,2010 and 2013
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now