I appear to be a source of spam, any help?

Posted on 2011-05-05
Last Modified: 2013-11-22
I seem to be a source of spam, but cannot track it down.  I have an exchange 2007 server.  For the last couple of days, I have been getting a huge number of angry 'remove me' emails to one particular address in my organization, but they believe the emails are coming from nissan motors.  I have used mxtoolbox to confirm I am not an open relay and that I am not on any blocklists.  When I use Queue Viewer, I don't see anything unusual except that two of my real clients are blocking emails from my mx address due to 'intrusion prevention active' on their software.  I have run a complete AV scan of my entire network and nothing turned up.  I'm not sure I know how to definitely look to see if the emails are really originating from me, but the replies are definitely coming to me.  Any suggestions?
Moved from EE_Bugs, 250 points assigned by Netminder, 5 May 2011

Open in new window

Question by:dongcamp100
    LVL 14

    Expert Comment

    Try Malwarebytes on the machines that the e-mail is being sent from.

    From what I have seen recently certain malware/viri grab a hold of someone's e-mail and they click on something stupid and boom, that PC gets infected and then steals the e-mail list from that PC and e-mails itself out using that persons contact list.

    My first move here would be see who the offending sender is and scan that machine to death...:)

    LVL 29

    Assisted Solution

    by:Sudeep Sharma
    Look at the headers of the emails which you are receiving and try to find the source of the messages. It could be the sender who is infected (as suggested above by Tribus)

    LVL 36

    Accepted Solution

    What makes you think you are the actual source of the spam?
    Is it only the fact that one of your email addresses is the source address of the spam?
    If that is the case it is probably just the case that someone is using your email address as the source for sending spam emails and they are being sent by completely different machines across the internet.
    There is not much you can do to stop it but you could ensure you are making use of SPF and domainkeys. This will help spam filters identify the mails pretending to come from you as being spam and may also discourage spammers from using your domain as it will make their emails more likely to be blocked.
    LVL 14

    Assisted Solution

    The first thing to do though in this case is to change the password of the offending account that is sending the spam.  Usually it's a key logger that got the users e-mail password.  Just by changing that password you can sometimes make it stop.

    However the issue still remains of the key-logger.

    Malwarebytes' should solve that for you on the users PC.

    Author Closing Comment

    Ultimately, I was not the source of the spam.  Thank you tribus, I had already used Malwarebytes, but it is a good suggestion.

    Author Comment

    oops.  more...  thank you also Sudeep as that showed I was not the actual source and thank you grblades for the advice on steps to help prevent this in the future.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
    This video discusses moving either the default database or any database to a new volume.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now