Exchange users' email being flagged as spam - Need help troubleshooting please..

Posted on 2013-06-12
Last Modified: 2013-07-17
Have a customer with an Exchange 2010 environment.. Starting last week they started receiving NDRs when trying to send emails to multiple domains.. It's not limited to a certain domain and it's not limited to a certain user..

According to the IT contact these are domains they email on a daily basis and have never had any issues..

They aren't on any blacklists and their server is clean (virus scan).. Their server is not an open relay.. Not using smart host..

I have tested to a domain bouncing them by sending a test email with no signature etc and I immediately get the bounce..

In the queue viewer there were emails that had a from address of <> that definitely looked like spam (subject line).. Is there any way I can track these down?

Email in queue viewer:

Identity: SERVER\73247\484884
Subject: Automatic reply: Your Complimentary Credit Scores Are Waiting For You
Internet Message ID: <c442983d72b840ea9e50847ea0b7db72@SERVER.DOMAIN.LOCAL>
From Address: <>
Status: Suspended
Size (KB): 4
Message Source Name: FromLocal
Source IP:
SCL: -1
Date Received: 6/10/2013 12:18:25 PM
Expiration Time: 6/12/2013 12:18:25 PM
Last Error:
Queue ID: SERVER\73247

NDR Sample: rejected your message to the following e-mail addresses: ( gave this error:
[P4] Message blocked due to spam content in the message.
Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept e-mail from certain senders, or another restriction may be preventing delivery.

Diagnostic information for administrators:
Generating server: SERVER.DOMAIN.LOCAL #554 5.7.1 [P4] Message blocked due to spam content in the message. ##
Original message headers:
Received: from SERVER.DOMAIN.LOCAL ([::1]) by SERVER.DOMAIN.LOCAL ([::1]) with
 mapi id 14.01.0355.002; Wed, 12 Jun 2013 08:44:36 -0400
From: TEST <>
To: "" <>
Subject: Test
Thread-Topic: Test
Thread-Index: Ac5napgxn9FVzAFnTBO0tanTNiiG8Q==
Date: Wed, 12 Jun 2013 12:44:35 +0000
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative;
MIME-Version: 1.0

Ideas on what do look at?

Question by:TBIRD2340
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 13

Accepted Solution

Michael Machie earned 500 total points
ID: 39241200
Are all outgoing emails bouncing back?

If attempting to send the same email to only one recipient at a time, does it succeed?
Can you send it to your personal (non-work) email address such as a Hotmail/Gmail address to test?

I know you mentioned your Domain was not blacklisted but I do know that my company has been flagged before and emails sent to some, but not all, external domains would fail. I had to clear us from the blacklist.

On another note, the receiving Domains may have filters and appliances to stop spam and if your Domain is blacklisted on their device you will receive this message as well.
If you are certain your Domain is not blacklisted then you may need to ask those recipients to whitelist your domain or email address.  The SPAM filters at their end are most likely identifying your emails as SPAM.
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39241373
As [Machienet] notes, it's possible to be blocked without being on a public RBL.  

In any case, it sounds as if your client is, in fact, sending out spam e-mails.  I realize you've scanned the mail server itself, but it looks like the spam is coming from within the network, so you should have them begin a systematic check of all their computers.

Author Comment

ID: 39241411
No, not all outgoing emails.. Just to certain domains.. They have already contacted a few domains to get whitelisted but that is a pain to do and want to know why this happened..

Server is clean and I advised him to do a full scan on all PCs which he's trying to get scheduled..

Generally when this happens it is malware.. I'm just trying to figure out how to either pinpoint the PC(s) that are causing it or if there are none infected, what to do next..
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 34

Expert Comment

by:Paul MacDonald
ID: 39241529
You could set up Wireshark or Network Monitor and capture traffic going to the mail server.  There will be a lot of traffic to weed through, but that will help you to identify the culprit.  You'll need to look at the payload for packet data, to see which ones might be spam.  This will be difficult.  

Barring that, you might try log files on the mail server.  You won't get as much data this way, but if you know when a mail went out, you might be able to use that to determine where that mail came from.

Author Comment

ID: 39334156
It ended up that they were sending bulk emails and getting listed on some spam list (not blacklisted).

Author Comment

ID: 39334194
I've requested that this question be closed as follows:

Accepted answer: 0 points for TBIRD2340's comment #a39334156

for the following reason:

This was the reason.
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39334174
"As [Machienet] notes, it's possible to be blocked without being on a public RBL."
You really should assign points to [Machienet].
LVL 13

Expert Comment

by:Michael Machie
ID: 39334445
thanks [paulmacd] and [tbird2340]

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question