Exchange 2003 Mail being sent by impersonation

We have an Exchange 2003 server on SBS 2003 using ISA 2004.  We recently implemented a cloud-based SPAM management service and we are seeing email attempting to be sent out by a mailbox of postmaster@<ourdomain>.com when that mailbox doesn't exist and no one is initiating these email.  Also, in our Small Business Server usage report it shows email going out for user that have valid mailboxes but are no longer with the company and are no longer configured in a mail clien other than, of course, OWA.

How do we track down or prevent these emails from being sent from both the user postermaster that doesn't have a valid mailbox on Exchange and the valid users who have mailboxes but aren't wth the company (without disabling them of course)?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would look at scanning your systems etc with malwarebytes, you probably have a spam bot on one of the pc's that is disguising the tag of the email.  Try seeing if you can find a message options to look at the header of the email in general to maybe get an idea of who has the bot.  You can also try removing the profiles of the infected user (on the workstation, not the server), or scan for infections.

Bots simply will disguise themselves and even sometimes duplicate your email address so you will recieve emails from yourself etc.  
Alan HardistyCo-OwnerCommented:
The messages are typical Non-Delivery report emails and will continue to happen if you do not enable recipient filtering on your server.  When you enable this, the onus for producing a Non-Delivery report shifts to the sender and thus you won't see those emails again.

As for outbound emails from no-longer used accounts - change all the passwords as one / all of them could have been guessed and are now being abused by a spammer.  Once changed, restart the Simple Mail Transfer Protocol Service and monitor your reports.
Alan HardistyCo-OwnerCommented:
Forgot to add this link for how to enable recipient filtering:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

BeratungAuthor Commented:
Alan thanks.  I thought that too about the Postmaster but  I had already set recipient filter and our SPAM management blocks any unknown receipients,  I would think NDR's wouldn't be an issue since no spam and unknown receipients are making it to the Exchange server.  Am I missing anything?

I'll reset those user accounts, but the passwords were extremely strong.  I'll report baclk.
Just to verify... have you looked to see what the content of these emails from Postmaster are?  Are they NDRs or are they other email?  If you don't already have one, a quick way to see the messages coming and going from your server is to use the Message Tracking Center in Exchange System Manager.  You will first have to enable Message Tracking in your server properties under ESM if not already done.
BeratungAuthor Commented:
A second restart of the service did the trick after applying recipient filtering.  For some reason the first restart didin't set the config.  THanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.