Background: We have our own Exchange 2003 server running inhouse. It is behind our firewall - mail does not arrive to it directly, we use POPCon to pull email from POP accounts and pass them on to Exchange, then we use Outlook to connect to exchange. For outgoing email, we have our smarthost set to relay.dnsexit.com. So I don't *think* that we have an open relay (I tested it from http://www.abuse.net/relay.html
and it reports "Could not connect, test failed.", which I think is correct, because the server should be completely behind our firewall).
Today we received dozens (hundreds?) of spam bounce-backs from a variety of .ru domains. Normally I wouldn't be concerned about this - someone must be using one of our email addresses as the reply-to on a bunch of spam.
But... what I am concerned about is that some of the bounce-backs look like messages from the Exchange system administrator, e.g. it looks an awful lot like the spam is coming from inside our Exchange box (see attached image).
I have looked at the smtp logs in \system32\logfiles\smtpsvc
and I don't see any outbound messages to .ru, but I suppose if someone had hijacked this server they could delete from these logs as well...
What I want to verify is this -- can a bounce-back message from the outside world, generate one of these Exchange-like "system administrator" messages in the attached image? Or can these "system administrator" messages only be generated when the original mail was sent outbound from Exchange?
thanks for any help!