messages delivered to admin account and not the intended recipient

Periodically - we have some incoming email messages that get delivered to our admin account and not the intended recpient. It was a low priority issue as it usually was an email blast message where the recepient was blind copied or an undisclosed recipient, but lately I have one domain that can not send us direct messages without it being routed to the admin account. I'm also not sure why these messages go to our admin@domain account as I do not have that specified in the Exchange Systems Manager or our Microsoft Antigen
TPMcGill-SheratonAsked:
Who is Participating?
 
TPMcGill-SheratonAuthor Commented:
The problem was with the ISP provider that hosted our AMX record
0
 
davorinCommented:
Maybe it has something to do with antispam filtering.
I would start troubleshooting the problem with viewing SMTP logs and message tracking tool.

It is the same problem if they try to send to different adresses?
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Looks like the spam emails have been configured to re-route to admin mailbox.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
TPMcGill-SheratonAuthor Commented:
No matter what user they send to it goes to the admin mailbox and not the intended recipient. The domains are safe senders and there is no entries in our antigen log.

Below is the message header of an email that went to the admin mailbox

Microsoft Mail Internet Headers Version 2.0
Received: from wsmarth-infect.pas.sa.earthlink.net ([207.217.120.84]) by mail.sheratonatl.local with Microsoft SMTPSVC(6.0.3790.4675);
       Fri, 29 Apr 2011 18:47:27 -0400
Received: from whmx-nag.pas.sa.earthlink.net ([207.217.120.230])
      by wsmarth-infect.pas.sa.earthlink.net with smtp (Exim 3.36 #4)
      id 1QFwT2-0003Xk-00
      for admin@sheratonatl.com; Fri, 29 Apr 2011 17:47:20 -0500
X-ELNK-Loop: postmaster@sheratonatl.com
Received: from whmx-nag.pas.sa.earthlink.net ([127.0.0.1])
      by whmx-nag.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1qfWt058Z3NZFmC0; Fri, 29 Apr 2011 15:47:18 -0700 (PDT)
Received: from mail155c38.carrierzone.com ([66.175.56.185])
      by whmx-nag.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1qfWsZ5uk3NZFmC0
      for <postmaster@sheratonatl.com>; Fri, 29 Apr 2011 15:47:17 -0700 (PDT)
X-Authenticated-User: richard.presentingatlanta.com
Received: from RichardPC (74-202-25-250.static.twtelecom.net [74.202.25.250] (may be forged))
      (authenticated bits=0)
      by mail155c38.carrierzone.com (8.13.6/8.13.1) with ESMTP id p3TMlEQ0025843;
      Fri, 29 Apr 2011 22:47:16 +0000
From: "Richard Jones" <richard@presentingatlanta.com>
To: <pat.trammell@hyatt.com>, "'Q9 WIP'" <WIP@q9ads.com>, <michael@q9ads.com>,
        <veine@q9ads.com>, "'Keith Hensley'" <Keith.Hensley@marriott.com>,
        <Mary.Baxter@marriott.com>,
        "'Daniel Senden'" <dsenden@sheratonatl.com>,
        "'Edd Karlan'" <Edd.Karlan@hilton.com>, <Rukiya.Bey@hilton.com>
References: <OFC6D31079.86ED9D21-ON85257881.005FC533@hyatt.com>
In-Reply-To: <OFC6D31079.86ED9D21-ON85257881.005FC533@hyatt.com>
Subject: RE: New comment posted to Q9 Job #3575_AARM_Atlanta_Alliance_Website
Date: Fri, 29 Apr 2011 18:47:16 -0400
Message-ID: <01fd01cc06bf$65654e80$302feb80$@com>
MIME-Version: 1.0
Content-Type: text/plain;
      charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcwGlXWcVyrVB3K1TwiLpkFK4iEkfwACjQfQ
Content-Language: en-us
X-CSC: 0
X-CHA: v=1.1 cv=jpd6Eq6hhthdGUyp4g6xuwyN3bq3gxPNGeAh1QQag/A= c=1 sm=1
            a=nu8L7UM6Fy4A:10 a=YsWWI4kEeAgA:10 a=IkcTkHD0fZMA:10
            a=VRqUN+a7pGObuD/3ONGFjQ==:17 a=v68GH2aqAAAA:8 a=MPoOR6PzAAAA:8
            a=Td3EgxEIAAAA:8 a=3Lfl1ZXoAAAA:8 a=_8zBwPMRAAAA:8 a=L1ZBEMwHAAAA:8
            a=pGLkceISAAAA:8 a=BUCncRSxAAAA:8 a=a7H7VjAIAAAA:8 a=r6T-0wBi3Mqx_WcGwaAA:9
            a=OWH6lbf_h2EF_7d7A_gA:7 a=QEXdDO2ut3YA:10 a=2q1izpddlPsA:10
            a=bLw0ySDEODkA:10 a=5oNGTS7aHg4A:10 a=ZeaDiBoMXnYA:10 a=wDPt2UZEewEA:10
            a=PLKCpTzrWYcA:10 a=E7wuWWQPUS4A:10 a=aSlWfPMmDOAA:10 a=Stl4FSoYJqsA:10
            a=TScJXaykILcA:10 a=mAAHecRI7nQA:10 a=V6WloH25magA:10 a=E6s-atTtWgie7Fm4:21
            a=A46-La0KcbTpimn4:21 a=VRqUN+a7pGObuD/3ONGFjQ==:117
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=010;
Return-Path: richard@presentingatlanta.com
X-OriginalArrivalTime: 29 Apr 2011 22:47:27.0362 (UTC) FILETIME=[69FD2620:01CC06BF]

0
 
davorinCommented:
Please check at your exchange server SMTP logs.
Check at the log for the "problematic" sender and check who is the recipient for that connection.
If you have already there listed admin address, then the cause of the problem is before the mail reaches
your mail server.
http://www.msexchange.org/tutorials/Logging_the_SMTP_Service.html

As from the posted message header it looks like already the "EarthLink SMTP Server" replaces
recipinets address (daniel) with postmasters address.



Received: from mail155c38.carrierzone.com ([66.175.56.185])
      by whmx-nag.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1qfWsZ5uk3NZFmC0
      for <postmaster@sheratonatl.com>; Fri, 29 Apr 2011 15:47:17 -0700 (PDT)
0
 
davorinCommented:
Just one advice, when posting logs it is good to mask real mail adresses (and other addresses) with fake ones - to protect your privacy.
Using www.mxtoolbox.com I have found that you should have to change your SMTP banner on your exchange server if you don't want to have problems sending mail to some mail servers.
0
 
TPMcGill-SheratonAuthor Commented:
ISP issue
0
 
TPMcGill-SheratonAuthor Commented:
ISP Issue
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.