Spam messages on exchange 2010 server


Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?

below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.

Received: from SBS-SERVER ( by
( with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [ (Microsoft Connector for POP3
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E-4F682E1E16A6}">;
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <>
Return-Path: <>
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO (  by with SMTP; 3 Sep 2013 02:48:41 -0000
Received: from ( []) by (Postfix) with ESMTP            for <>; Tue,  3 Sep
2013 04:48:41 +0200 (CEST)
Received: from [] (     by with esmtp (Exim 4.72)  (envelope-from
<>)            id 1VGgf9-0007kl-NJ      for; Tue,
03 Sep 2013 04:48:25 +0200
Received: from [] (       by with esmtp (Exim 4.80.1) (envelope-from
<>)            id 1VGgfU-00069T-Td    for; Tue,
03 Sep 2013 04:48:37 +0200
Message-ID: <>
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv: Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: softfail ( transitioning domain of does not designate as permitted sender) client-ip=;;;
X-SPF-Result: transitioning domain of does not designate as permitted sender
X-Sender-Warning: Reverse DNS lookup failed for (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4jsjAhrGE5yAAGixSSTJ9oYsd24rJ//Z8NFSaENBD0NLxQssTjZU
Authentication-Results:; spf=softfail
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
  pts rule name              description
---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                              for more information.
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.10004.505;OrigIP:unavailable
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Although for exchange 2003 please read:

Specifically look for the Event ID 1708 which should point you to an infected PC.

If this is the case then change passwords and clean PC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Neil RussellTechnical Development LeadCommented:
From reading the message headers, these emails did NOT originate inside your network.
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

BenderamaAuthor Commented:
Hello, I can't find any Event ID 1708.

so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?

The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.

i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
Yes if no Event ID 1708 then not from internal, would be my guess.

I would still update and scan all PC's anyway.

But need to get your Spam levels increased and message Filters etc.

Is your mail spam checked before it is collected via POP3 connector on your server?
Any joy with this one benderama?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.