How do i find out where from the network an email originated from

Hi all,
Of late i have been having a problem, one of the users in my network has been receiving delivery failure messages yet he hasn't sent any emails out. Even when his computer is off messages still are being sent from his account. I am able to find the emails in the message tracking center in the exchange system manager. Is there a way of tracking the specific location in the network that the email originated from?
PetersennikAsked:
Who is Participating?
 
netjgrnautConnect With a Mentor Commented:
Are you sure you're finding the original *outbound* email in the MT, and not just the inbound NDR (which correspond to the messages your user is showing you)?

This sort of this is most often the result of spam being sent from other systems with a forged Reply-To or <MailFrom> address in the header.  This results in NDRs being sent to random people (instead of clogging up the spamming host with return traffic it doesn't care about).

If that's the case, there's virtually no way to determine the origin of the messages with the forged Reply-To.  If you're lucky, you'll get an NDR with a detailed SMTP transcript in the body.  If you get one of those, let me know...

Other than that, you can bet that this is the result of:
a) a machine not even on your network that has been infected with malware, where the machine user has *your* user's email address on file.
...or...
b) the result of your user's email address having been harvested (or stolen) from some web form somewhere - where the data was entered by your user (to sign up for something, or whatever).

Either way, you're probably not looking at a root cause you can do anything about.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.