there is a user at our office sending spam. On the Exchange 2010 Server, there is no relaying. I tested this with MXToolbox. Also on the server, ForeFront for Exchange is running. I verified that MASS Sender and other spam creating software was not present on the server or on the workstation.
The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.
The latest group of error messages coming in looks like this:
----------------------------------------
From: MAILER-DAEMON@yahoo.com [MAILER-DAEMON@yahoo.com]
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice
Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<jmichaeltaylor@btinternet.com>:
deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.
--- Below this line is a copy of the message.
Return-Path: <xxx@yyy.com>
Return-Path: <xxx@yyy.com>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of yyy.com)
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9YNw1Fl0rzDROxqp9loqNlVa
1iZKCLhNU_kpiKhZoCYadXXQkrHIkERLjDnuLY1ZL6Q1HJSh_3k6E6taHNCY
eVpMFPIOMBFcxlhjHjIcalH3pC.q37sfGRVMMuLDHXFVsSuZdzuBhvIJKRoo
B5S3vR1XTrTichzBWdSMdCOxjpFKDVjq2DBRQu5rkZ2npWir8Gv9hbiDAuJh
OPP_AD6KuvouWmZUKsR9QTogjjMzXxrTAvMMRvtKTJQYDcvqplF5f92VwZqm
bRlMzEh..QZtam16vQiGq3SUOXXm.MgMRxqFmTcGL3bJtCNz1lp36EMUJ8Cj
tnu73J3w0hjFuyskYY_5RPqg2mi3YqLBxFWvJGbp3gMdE7IKZBny10FjcvUi
wjbYaxnqPjSM4QN6LiADu8A-
X-Originating-IP: [99.23.52.238]
Authentication-Results: mta1025.bt.mail.ird.yahoo.com from=yyy.com; domainkeys=neutral (no sig); from=yyy.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO lawserv3.barton-larson.local) (99.23.52.238)
by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.local
(192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <xxx@yyy.com>
To: <jmichaeltaylor@btinternet.com>
Message-ID: <CHILKAT-MID-31cda581-6236-9dd8-4a0b-8ec3f0dafef6@serverin>
Return-Path: xxx@yyy.com
-------------------------------------------------------------
Is the NDR itself the SPAM? From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.
Or is the user sending the SPAM from another application on their workstation?
Any help on this is greatly appreciated.
Thank you.