Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


User Sending SPAM, Trying to Find Cause

Posted on 2012-04-04
Medium Priority
Last Modified: 2012-04-04
there is a user at our office sending spam.  On the Exchange 2010 Server, there is no relaying.  I tested this with MXToolbox.  Also on the server, ForeFront for Exchange is running.  I verified that MASS Sender and other spam creating software was not present on the server or on the workstation.

The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.

The latest group of error messages coming in looks like this:

From: MAILER-DAEMON@yahoo.com [MAILER-DAEMON@yahoo.com]
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice

Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <xxx@yyy.com>
Return-Path: <xxx@yyy.com>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of yyy.com)
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9YNw1Fl0rzDROxqp9loqNlVa
X-Originating-IP: []
Authentication-Results: mta1025.bt.mail.ird.yahoo.com  from=yyy.com; domainkeys=neutral (no sig);  from=yyy.com; dkim=neutral (no sig)
Received: from  (EHLO lawserv3.barton-larson.local) (
  by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin ( by lawserv3.barton-larson.local
 ( with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <xxx@yyy.com>
To: <jmichaeltaylor@btinternet.com>
Message-ID: <CHILKAT-MID-31cda581-6236-9dd8-4a0b-8ec3f0dafef6@serverin>
Return-Path: xxx@yyy.com


Is the NDR itself the SPAM?  From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.

Or is the user sending the SPAM from another application on their workstation?

Any help on this is greatly appreciated.

Thank you.
Question by:tedwill
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

jacobstewart earned 1000 total points
ID: 37807994
why not just change her domain password and be done with it?

Author Comment

ID: 37808083
It seems like the SPAM was coming from the outside and using either no credentials or credentials with nothing to do with her windows authentication.

Expert Comment

ID: 37808165
The user is sending the spam, reboot the PC in safe mode and run a full antivirus scan, be sure to update your antivirus before.
Or enable a firewall and check which processes are connecting to the network.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 58

Assisted Solution

tigermatt earned 1000 total points
ID: 37808536
The telltale lines in that trace are these:

Received: from  (EHLO lawserv3.barton-larson.local) (
  by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin ( by lawserv3.barton-larson.local
 ( with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400

Open in new window

The lower "Received" clause indicates your server received that message from a computer calling itself "serverin", at IP A reverse DNS lookup on that address indicates it is registered to telecomitalia, presumably for one of their customers:      name = host32-151-static.225-95-b.business.telecomitalia.it

The first line simply indicates that the message was relayed through your server to Yahoo.

If you are positive anonymous relaying is disabled, then you have a compromised user account on your system. The default receive connectors in Exchange 2010 should only permit an authenticated user to relay as their own email address. As the previous guys have said, you need to get that user's password changed ASAP and tidy up your queues of any email waiting to go out.


Author Closing Comment

ID: 37808841

Author Comment

ID: 37808907
Matt and Jacob -

Thanks for all your help.  It was such an easy solution.  I remember when Exchange 2000 and prior were open to relaying by default and once I knew that Exchange 2010 was not, I stopped looking at an internal issue.  The minute I changed her password, the SPAM stopped.  Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password.  She's an attorney and she's pretty good about not giving out passwords.

I appreciate you both pointing me in the right direction.
LVL 58

Expert Comment

ID: 37808967

Not a problem at all. I'm glad the problem is sorted.

>> Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password

There are any number of methods they can use these days to obtain a password. Chances are, this was some automated mechanism which was used to guess it. Chances are even more that it's someone external who is not known to the user or the company - they're just an opportunist. A brute force attack against your mail server/OWA login page is possible, or perhaps some keylogging software on an external computer which snatched the password when she logged in to her email. (This would still require someone to link OWA with the SMTP relay, though). Consider hardening the system a little with account lockout policies - lock an account for 30 minutes after X number of wrong passwords. This essentially stops a brute-force attack in its tracks.

Another problem I see quite often is a lack of encryption on the OWA access - or any other service published to the Internet which requests logon details. Not only should such connections be encrypted to ensure the credentials are securely passed to the server from foreign networks, it also means all the company-sensitive data which flows over those connections will not be privy to the eyes of unauthorised people. I would certainly check out OWA to ensure a certificate is in place and that HTTPS access is enforced (just publish port 443, and not 80, which forces people to use the secure route!).


Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question