How did this spam happen?

This is an example of spam that either comes from fakeuser@ourdomain.com or is to fakeuser@ourdomain.com
I have a spam rule for spoofed addresses in ESET ENOD32 for Exchange and it does not get tripped.
There must be a way to see the "real" information- how does it know to send this to a real_user@ourdomain.com??? Who is it really from???

99.9% of the fictitious user@ourdomain.com contain a virus and is caught before it gets to the user. This one was clean, so it got through.

We do NOT have the Exchange Edge role installed.
Header:

Received: from sendmail-reverseproxy.ourdomain.com (192.168.0.6) by exchange2007SP3.ourdomain.com
 (192.168.0.5) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 13 Dec 2011
 11:19:21 -0500
Received: from [180.254.141.114] ([180.254.141.114])      by sendmail-reverseproxy.ourdomain.com
 (8.13.8/8.13.8) with ESMTP id pBDE0NZK030057;      Tue, 13 Dec 2011 09:00:25 -0500
 (EST)      (envelope-from ReeseBirkenholz@eventlive.fr)
Received: from [180.254.141.114] (account bmulroy@ourdomain.com HELO ourdomain.com)
 by ourdomain.com (CommuniGate Pro SMTP 5.4.0) with ESMTPA id 450891943 for
 <bmulroy@ourdomain.com>; Tue, 13 Dec 2011 07:19:22 +0700
From: <support@ourdomain.com>
To: <bmulroy@ourdomain.com>
Subject: Fwd: Re: Order K01040688
Date: Tue, 13 Dec 2011 07:19:22 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_09CA_01CCB9ED.A59D5100"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QPZXM2Y2Z0KFGE78TAKVTZX71B==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3264
Message-ID: <809901ccb9ed$a5914310$728dfeb4@GLEASONMALORIE>
Return-Path: ReeseBirkenholz@eventlive.fr
X-ESET-AS: SCORE=50
X-MS-Exchange-Organization-SCL: 5
X-EsetResult: clean, is OK
X-EsetId: 1FD3A322D84AB0304990F9
LVL 1
johnj_01201Asked:
Who is Participating?
 
setasoujiroConnect With a Mentor Commented:
There could be numerous ways; someone could send a bunch of emails to everypossiblename@yourdomain, and the ones that don't give NDR are valid email addresses. It's called directory harvesting.

The mails from fictious users can be sent by anyone, anyone can send a mail and set the "from" field to someuser@yourdomain.com

However 180.254.141.114 seems to be the originating IP
0
 
johnj_01201Author Commented:
Well in this case, BOTH the sender and the recipient are fake, but a REAL user got it in their mailbox. How did it know to go into a specific mailbox when the mailbox is not listed in the header?
0
 
johnj_01201Author Commented:
I forgot I posted a different SPAM question a couple of weeks ago. The answer I needed was there.

http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part2.html

This link explains how to find and read the Exchange mail log files.
thanks
0
 
johnj_01201Author Commented:
question will not close
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.