Exchange users' email being flagged as spam - Need help troubleshooting please..

Posted on 2013-06-12
Medium Priority
Last Modified: 2013-07-17
Have a customer with an Exchange 2010 environment.. Starting last week they started receiving NDRs when trying to send emails to multiple domains.. It's not limited to a certain domain and it's not limited to a certain user..

According to the IT contact these are domains they email on a daily basis and have never had any issues..

They aren't on any blacklists and their server is clean (virus scan).. Their server is not an open relay.. Not using smart host..

I have tested to a domain bouncing them by sending a test email with no signature etc and I immediately get the bounce..

In the queue viewer there were emails that had a from address of <> that definitely looked like spam (subject line).. Is there any way I can track these down?

Email in queue viewer:

Identity: SERVER\73247\484884
Subject: Automatic reply: Your Complimentary Credit Scores Are Waiting For You
Internet Message ID: <c442983d72b840ea9e50847ea0b7db72@SERVER.DOMAIN.LOCAL>
From Address: <>
Status: Suspended
Size (KB): 4
Message Source Name: FromLocal
Source IP:
SCL: -1
Date Received: 6/10/2013 12:18:25 PM
Expiration Time: 6/12/2013 12:18:25 PM
Last Error:
Queue ID: SERVER\73247
Recipients: csn@soundcost.net

NDR Sample:
spam04.embarq.synacor.com rejected your message to the following e-mail addresses:
weavertire@embarqmail.com (weavertire@embarqmail.com)
spam04.embarq.synacor.com gave this error:
[P4] Message blocked due to spam content in the message.
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.

Diagnostic information for administrators:
Generating server: SERVER.DOMAIN.LOCAL
spam04.embarq.synacor.com #554 5.7.1 [P4] Message blocked due to spam content in the message. ##
Original message headers:
Received: from SERVER.DOMAIN.LOCAL ([::1]) by SERVER.DOMAIN.LOCAL ([::1]) with
 mapi id 14.01.0355.002; Wed, 12 Jun 2013 08:44:36 -0400
From: TEST <TEST@ttttire.com>
To: "weavertire@embarqmail.com" <weavertire@embarqmail.com>
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5napgxn9FVzAFnTBO0tanTNiiG8Q==
Date: Wed, 12 Jun 2013 12:44:35 +0000
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative;
MIME-Version: 1.0

Ideas on what do look at?

Question by:TBIRD2340
  • 3
  • 3
  • 2
LVL 13

Accepted Solution

Michael Machie earned 2000 total points
ID: 39241200
Are all outgoing emails bouncing back?

If attempting to send the same email to only one recipient at a time, does it succeed?
Can you send it to your personal (non-work) email address such as a Hotmail/Gmail address to test?

I know you mentioned your Domain was not blacklisted but I do know that my company has been flagged before and emails sent to some, but not all, external domains would fail. I had to clear us from the blacklist.

On another note, the receiving Domains may have filters and appliances to stop spam and if your Domain is blacklisted on their device you will receive this message as well.
If you are certain your Domain is not blacklisted then you may need to ask those recipients to whitelist your domain or email address.  The SPAM filters at their end are most likely identifying your emails as SPAM.
LVL 35

Expert Comment

by:Paul MacDonald
ID: 39241373
As [Machienet] notes, it's possible to be blocked without being on a public RBL.  

In any case, it sounds as if your client is, in fact, sending out spam e-mails.  I realize you've scanned the mail server itself, but it looks like the spam is coming from within the network, so you should have them begin a systematic check of all their computers.

Author Comment

ID: 39241411
No, not all outgoing emails.. Just to certain domains.. They have already contacted a few domains to get whitelisted but that is a pain to do and want to know why this happened..

Server is clean and I advised him to do a full scan on all PCs which he's trying to get scheduled..

Generally when this happens it is malware.. I'm just trying to figure out how to either pinpoint the PC(s) that are causing it or if there are none infected, what to do next..
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 35

Expert Comment

by:Paul MacDonald
ID: 39241529
You could set up Wireshark or Network Monitor and capture traffic going to the mail server.  There will be a lot of traffic to weed through, but that will help you to identify the culprit.  You'll need to look at the payload for packet data, to see which ones might be spam.  This will be difficult.  

Barring that, you might try log files on the mail server.  You won't get as much data this way, but if you know when a mail went out, you might be able to use that to determine where that mail came from.

Author Comment

ID: 39334156
It ended up that they were sending bulk emails and getting listed on some spam list (not blacklisted).

Author Comment

ID: 39334194
I've requested that this question be closed as follows:

Accepted answer: 0 points for TBIRD2340's comment #a39334156

for the following reason:

This was the reason.
LVL 35

Expert Comment

by:Paul MacDonald
ID: 39334174
"As [Machienet] notes, it's possible to be blocked without being on a public RBL."
You really should assign points to [Machienet].
LVL 13

Expert Comment

by:Michael Machie
ID: 39334445
thanks [paulmacd] and [tbird2340]

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question