<div>
This assumes that somebody has not forged any of the SMTP header information.
</div>


<div>
view &gt;&nbsp;options &gt;&nbsp;header info.<br />
Copy paste the entire contents into notepad<br />
<br />
check the message-id: field<br />
Message-ID: &lt;76131413fe3ae29312fea96dd<wbr />9fbf5@tifa<wbr />-5fa7cbaf0<wbr />b&gt;<br />
<br />
If its a exchange server - the part after the @ sign is the mailbox servername.<br />
If its java etc - it is probably scripted through some Java/PHP mailer<br />
<br />
now look for this field<br />
Received: from TIFA-5FA7CBAF0B.Local (tifadc05@112.105.178.186 with login)<br />
&nbsp; &nbsp; &nbsp; &nbsp; by smtp109.mail.tp2.yahoo.com<wbr /> with SMTP; 03 Sep 2010 22:32:18 -0700 PDT<br />
<br />
--<br />
what I do is<br />
a) Find the originating server - TIFA in this case.<br />
b) Search for TIFA in the header field.<br />
The IP address next to that = source of spam<br />
<br />
--<br />
But these things can be spoofed too.<br />

</div>


<div>
I can insert fake from's to make it look like my SMTP server was the middle of the stream instead of the originator of the stream.
</div>


<div>
Here is the header.<br />
&nbsp;<br />
<a href="https://filedb.experts-exchange.com/incoming/2010/09_w37/346798/spam.txt" target="_blank" class="file-inline" title="Header (3 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>spam.txt</a>
</div>


spam.txt

<div>
Message-ID: &lt;LbIUndNXh0000e41f@SNT0-MC<wbr />3-F14.Snt0<wbr />.hotmail.c<wbr />om&gt;<br />
spam
</div>


<div>
most likely someone using hotmail for their relay
</div>


<div>
all of these headers can be spoofed.<br />
<br />
They even have a x- header with spam assassin signature as clean.<br />
<br />
------------------<br />
Microsoft Mail Internet Headers Version 2.0<br />
<br />
Received: from mail.spamserver.net ([x.x.x.x]) by exchange.myserver.com with Microsoft SMTPSVC(6.0.3790.4675);<br />
<br />
Resent-To: info@exchange.myserver.com<wbr /><br />
Resent-From: info@myserver.com<br />
Resent-Message-Id: &lt;B0534444566@mail.spamserv<wbr />er.net&gt;<br />
Resent-Date: Fri, 10 Sep 2010 05:05:57 -0400<br />
<br />
X-Modus-Audit: FALSE;0;0;0<br />
<br />
Received: from mailin-1.spamserver.net (unverified [x.x.x.x]) by mail.spamserver.net (Vircom SMTPRS 5.0.916.0) <br />
with ESMTP id &lt;B0534444564@mail.spamserv<wbr />er.net&gt; for &lt;info@myserver.com&gt;;<br />
<br />
X-Modus-BlackList: x.x.x.x=OK;=OK<br />
X-Modus-Trusted: x.x.x.x=NO<br />
X-Modus-Audit: FALSE;0;0;0<br />
Received: from snt0-omc4-s43.snt0.hotmail<wbr />.com (snt0-omc4-s43.snt0.hotmai<wbr />l.com [65.54.51.94])<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; by mailin-1.spamserver.net (Postfix) with ESMTP id 4E1EAC30356<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; for &lt;info@myserver.com&gt;; Fri, 10 Sep 2010 05:00:36 -0400 (EDT)<br />
Received: from SNT0-MC3-F14.Snt0.hotmail.<wbr />com ([65.55.90.199]) by snt0-omc4-s43.snt0.hotmail<wbr />.com with Microsoft SMTPSVC(6.0.3790.4675);<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Fri, 10 Sep 2010 02:00:36 -0700<br />
Message-ID: &lt;LbIUndNXh0000e41f@SNT0-MC<wbr />3-F14.Snt0<wbr />.hotmail.c<wbr />om&gt;<br />
Subject: Delivery Status Notification (Failure)<br />
<br />
X-MailScanner: Found to be clean<br />
X-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; required 7, autolearn=disabled, RCVD_IN_DNSWL_NONE -0.00)<br />
<br />
Received: from smtp27.orange.fr ([80.12.242.96]) by SNT0-MC3-F14.Snt0.hotmail.<wbr />com with Microsoft SMTPSVC(6.0.3790.4675);<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Fri, 10 Sep 2010 02:00:36 -0700<br />
Received: from me-wanadoo.net (localhost [127.0.0.1])<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; by mwinf2721.orange.fr (SMTP Server) with ESMTP id 22C8F1C00042;<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Fri, 10 Sep 2010 11:00:35 +0200 (CEST)<br />
Received: from me-wanadoo.net (localhost [127.0.0.1])<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; by mwinf2721.orange.fr (SMTP Server) with ESMTP id 14E071C00280;<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Fri, 10 Sep 2010 11:00:35 +0200 (CEST)<br />
Received: from FILESERVER (LRouen-152-83-1-113.w80-1<wbr />3.abo.wana<wbr />doo.fr [80.13.64.113])<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; by mwinf2721.orange.fr (SMTP Server) with SMTP id B2D3E1C00042;<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Fri, 10 Sep 2010 11:00:34 +0200 (CEST)<br />

</div>


<div>
This is the header from the e-mail telling you it was rejected.<br />
<br />
I have not record of sending the email.<br />

</div>


<div>
<div class="content wysiwyg-content">
I have two users who have been recieving messages like these for the last couple of days. &nbsp;I don't think that they are coming from my server. &nbsp;How do I determine where they are originating from? &nbsp;<br />
<br />
<br />
Your message did not reach some or all of the intended recipients.<br />
&nbsp; &nbsp; &nbsp; Subject: &nbsp;smiling to you, dear<br />
&nbsp; &nbsp; &nbsp; Sent: &nbsp; &nbsp; 9/10/2010 7:33 AM<br />
The following recipient(s) could not be reached:<br />
&nbsp; &nbsp; &nbsp; dta77@hotmail.com on 9/10/2010 7:33 AM<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; There was a SMTP communication problem with the recipient's email server. &nbsp;Please contact your system administrator.<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;SNT0-MC3-F30.Snt0.hotmail<wbr />.com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (1044235902:3448:-21474672<wbr />59)&gt;<br />

</div>
</div>


I have two users who have been recieving messages like these for the last couple of days.  I don't think that they are coming from my server.  How do I determine where they are originating from?  


Your message did not reach some or all of the intended recipients.
      Subject:  smiling to you, dear
      Sent:     9/10/2010 7:33 AM
The following recipient(s) could not be reached:
      dta77@hotmail.com on 9/10/2010 7:33 AM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <SNT0-MC3-F30.Snt0.hotmail.com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (1044235902:3448:-2147467259)>


SPAM how to determine the originator? Exchange 2003

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.