How did this spam happen?

This is an example of spam that either comes from fakeuser@ourdomain.com or is to fakeuser@ourdomain.com
I have a spam rule for spoofed addresses in ESET ENOD32 for Exchange and it does not get tripped.
There must be a way to see the "real" information- how does it know to send this to a real_user@ourdomain.com??? Who is it really from???

99.9% of the fictitious user@ourdomain.com contain a virus and is caught before it gets to the user. This one was clean, so it got through.

We do NOT have the Exchange Edge role installed.
Header:

Received: from sendmail-reverseproxy.ourdomain.com (192.168.0.6) by exchange2007SP3.ourdomain.com
 (192.168.0.5) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 13 Dec 2011
 11:19:21 -0500
Received: from [180.254.141.114] ([180.254.141.114])      by sendmail-reverseproxy.ourdomain.com
 (8.13.8/8.13.8) with ESMTP id pBDE0NZK030057;      Tue, 13 Dec 2011 09:00:25 -0500
 (EST)      (envelope-from ReeseBirkenholz@eventlive.fr)
Received: from [180.254.141.114] (account bmulroy@ourdomain.com HELO ourdomain.com)
 by ourdomain.com (CommuniGate Pro SMTP 5.4.0) with ESMTPA id 450891943 for
 <bmulroy@ourdomain.com>; Tue, 13 Dec 2011 07:19:22 +0700
From: <support@ourdomain.com>
To: <bmulroy@ourdomain.com>
Subject: Fwd: Re: Order K01040688
Date: Tue, 13 Dec 2011 07:19:22 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_09CA_01CCB9ED.A59D5100"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QPZXM2Y2Z0KFGE78TAKVTZX71B==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3264
Message-ID: <809901ccb9ed$a5914310$728dfeb4@GLEASONMALORIE>
Return-Path: ReeseBirkenholz@eventlive.fr
X-ESET-AS: SCORE=50
X-MS-Exchange-Organization-SCL: 5
X-EsetResult: clean, is OK
X-EsetId: 1FD3A322D84AB0304990F9
LVL 1
johnj_01201Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

setasoujiroCommented:
There could be numerous ways; someone could send a bunch of emails to everypossiblename@yourdomain, and the ones that don't give NDR are valid email addresses. It's called directory harvesting.

The mails from fictious users can be sent by anyone, anyone can send a mail and set the "from" field to someuser@yourdomain.com

However 180.254.141.114 seems to be the originating IP
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnj_01201Author Commented:
Well in this case, BOTH the sender and the recipient are fake, but a REAL user got it in their mailbox. How did it know to go into a specific mailbox when the mailbox is not listed in the header?
0
johnj_01201Author Commented:
I forgot I posted a different SPAM question a couple of weeks ago. The answer I needed was there.

http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part2.html

This link explains how to find and read the Exchange mail log files.
thanks
0
johnj_01201Author Commented:
question will not close
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.