Exchange 2003 Mail being sent by impersonation

We have an Exchange 2003 server on SBS 2003 using ISA 2004.  We recently implemented a cloud-based SPAM management service and we are seeing email attempting to be sent out by a mailbox of postmaster@<ourdomain>.com when that mailbox doesn't exist and no one is initiating these email.  Also, in our Small Business Server usage report it shows email going out for user that have valid mailboxes but are no longer with the company and are no longer configured in a mail clien other than, of course, OWA.

How do we track down or prevent these emails from being sent from both the user postermaster that doesn't have a valid mailbox on Exchange and the valid users who have mailboxes but aren't wth the company (without disabling them of course)?
BeratungAsked:
Who is Participating?
 
Alan HardistyCo-OwnerCommented:
Forgot to add this link for how to enable recipient filtering:

http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
0
 
uescompCommented:
I would look at scanning your systems etc with malwarebytes, you probably have a spam bot on one of the pc's that is disguising the tag of the email.  Try seeing if you can find a message options to look at the header of the email in general to maybe get an idea of who has the bot.  You can also try removing the profiles of the infected user (on the workstation, not the server), or scan for infections.

Bots simply will disguise themselves and even sometimes duplicate your email address so you will recieve emails from yourself etc.  
0
 
Alan HardistyCo-OwnerCommented:
The Postmaster@yourdomain.com messages are typical Non-Delivery report emails and will continue to happen if you do not enable recipient filtering on your server.  When you enable this, the onus for producing a Non-Delivery report shifts to the sender and thus you won't see those emails again.

As for outbound emails from no-longer used accounts - change all the passwords as one / all of them could have been guessed and are now being abused by a spammer.  Once changed, restart the Simple Mail Transfer Protocol Service and monitor your reports.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
BeratungAuthor Commented:
Alan thanks.  I thought that too about the Postmaster but  I had already set recipient filter and our SPAM management blocks any unknown receipients,  I would think NDR's wouldn't be an issue since no spam and unknown receipients are making it to the Exchange server.  Am I missing anything?

I'll reset those user accounts, but the passwords were extremely strong.  I'll report baclk.
0
 
CitacompCommented:
Just to verify... have you looked to see what the content of these emails from Postmaster are?  Are they NDRs or are they other email?  If you don't already have one, a quick way to see the messages coming and going from your server is to use the Message Tracking Center in Exchange System Manager.  You will first have to enable Message Tracking in your server properties under ESM if not already done.
0
 
BeratungAuthor Commented:
A second restart of the service did the trick after applying recipient filtering.  For some reason the first restart didin't set the config.  THanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.