User Sending SPAM, Trying to Find Cause

there is a user at our office sending spam.  On the Exchange 2010 Server, there is no relaying.  I tested this with MXToolbox.  Also on the server, ForeFront for Exchange is running.  I verified that MASS Sender and other spam creating software was not present on the server or on the workstation.

The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.

The latest group of error messages coming in looks like this:

From: []
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice

Hi. This is the qmail-send program at
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <>
Return-Path: <>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9YNw1Fl0rzDROxqp9loqNlVa
X-Originating-IP: []
Authentication-Results:; domainkeys=neutral (no sig);; dkim=neutral (no sig)
Received: from  (EHLO lawserv3.barton-larson.local) (
  by with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin ( by lawserv3.barton-larson.local
 ( with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <>
To: <>
Message-ID: <CHILKAT-MID-31cda581-6236-9dd8-4a0b-8ec3f0dafef6@serverin>


Is the NDR itself the SPAM?  From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.

Or is the user sending the SPAM from another application on their workstation?

Any help on this is greatly appreciated.

Thank you.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

why not just change her domain password and be done with it?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tedwillAuthor Commented:
It seems like the SPAM was coming from the outside and using either no credentials or credentials with nothing to do with her windows authentication.
The user is sending the spam, reboot the PC in safe mode and run a full antivirus scan, be sure to update your antivirus before.
Or enable a firewall and check which processes are connecting to the network.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

The telltale lines in that trace are these:

Received: from  (EHLO lawserv3.barton-larson.local) (
  by with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin ( by lawserv3.barton-larson.local
 ( with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400

Open in new window

The lower "Received" clause indicates your server received that message from a computer calling itself "serverin", at IP A reverse DNS lookup on that address indicates it is registered to telecomitalia, presumably for one of their customers:      name =

The first line simply indicates that the message was relayed through your server to Yahoo.

If you are positive anonymous relaying is disabled, then you have a compromised user account on your system. The default receive connectors in Exchange 2010 should only permit an authenticated user to relay as their own email address. As the previous guys have said, you need to get that user's password changed ASAP and tidy up your queues of any email waiting to go out.

tedwillAuthor Commented:
tedwillAuthor Commented:
Matt and Jacob -

Thanks for all your help.  It was such an easy solution.  I remember when Exchange 2000 and prior were open to relaying by default and once I knew that Exchange 2010 was not, I stopped looking at an internal issue.  The minute I changed her password, the SPAM stopped.  Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password.  She's an attorney and she's pretty good about not giving out passwords.

I appreciate you both pointing me in the right direction.

Not a problem at all. I'm glad the problem is sorted.

>> Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password

There are any number of methods they can use these days to obtain a password. Chances are, this was some automated mechanism which was used to guess it. Chances are even more that it's someone external who is not known to the user or the company - they're just an opportunist. A brute force attack against your mail server/OWA login page is possible, or perhaps some keylogging software on an external computer which snatched the password when she logged in to her email. (This would still require someone to link OWA with the SMTP relay, though). Consider hardening the system a little with account lockout policies - lock an account for 30 minutes after X number of wrong passwords. This essentially stops a brute-force attack in its tracks.

Another problem I see quite often is a lack of encryption on the OWA access - or any other service published to the Internet which requests logon details. Not only should such connections be encrypted to ensure the credentials are securely passed to the server from foreign networks, it also means all the company-sensitive data which flows over those connections will not be privy to the eyes of unauthorised people. I would certainly check out OWA to ensure a certificate is in place and that HTTPS access is enforced (just publish port 443, and not 80, which forces people to use the secure route!).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.