exchange server mail in queue, sender is spoofed
I have mail in my outbound queues (exchange server 2003) that shows the sender as "job@careerbuilder.com". I need to ascertain which workstation on the network is actually sender these emails (100's of them). Virus scans come up clean. I suspected a couple workstations as the culprit, but there is nothing I can find on their PC's to validate this. Sent folders are normal. No virus reported.
How can I looked at one of these stuck in the outgoing queues and determine which workstation (all with static ip's if that helps) sent the message?
How can I looked at one of these stuck in the outgoing queues and determine which workstation (all with static ip's if that helps) sent the message?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No probs - with Exchange 2003 this is one of the major reasons for busy queues full of spam!
It is unlikely but not impossible that you have an infection, but I have seen the Authenticated Relay more times than I have had hot dinners, so that is usually my first thought.
Alan
It is unlikely but not impossible that you have an infection, but I have seen the Authenticated Relay more times than I have had hot dinners, so that is usually my first thought.
Alan
ASKER
I read through the articles. I had already accomplished some of the recommendations as this happened a few days ago initially. Comcast blacklisted the domain although all blacklist tests were clean. Just reran tests through mxtoolbox an the domain appears clean, reverse dns, not an open relay etc all come up clean.
I did uncheck the basic and windows authentication as described in the 2nd article.
How can I tell (or can I tell) which workstation is sending the emails?
I did uncheck the basic and windows authentication as described in the 2nd article.
How can I tell (or can I tell) which workstation is sending the emails?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's is something I have noticed. Quite a few of the queues (which I have currently frozen) are bogus. Mispelled or out of the country email domains such as hotmaim.com, comcaster.net or asia.yahoo.com, gmail.com.co. Almost as though a list of bad email addresses has been accessed. It may just be these queues are in a retry state because the domain isn't valid and the valid ones have already connected and sent the emails.
I have done all that you suggested, hopefully this works. I will continue to monitor this after I finish clearing the queues.
Thanks for your help.
I have done all that you suggested, hopefully this works. I will continue to monitor this after I finish clearing the queues.
Thanks for your help.
All perfectly normal for an authenticated relay. Do you want aqadmcli.exe?
ASKER
Clear and Accurate Advice. Thanks
ASKER