Spam messages on exchange 2010 server

Posted on 2013-09-03
Medium Priority
Last Modified: 2013-11-19

Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?

below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.

Received: from SBS-SERVER ( by SBS-SERVER.ourdomainname.be.local
( with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [SBS-SERVER.ourdomainname.be.local (Microsoft Connector for POP3
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E-4F682E1E16A6}"@ourdomainname.be.local>;
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <pop3connector@ourdomainname.be.local>
Return-Path: <subjugationor2@google.com>
Delivered-To: info@ourdomainname.be.be
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO mx10.externaldomainname.be) (  by
mx-03.externaldomainname.be with SMTP; 3 Sep 2013 02:48:41 -0000
Received: from mx10-05.externaldomainname.be (mx10-05.externaldomainname.be []) by
mx10.externaldomainname.be (Postfix) with ESMTP            for <info@ourdomainname.be.be>; Tue,  3 Sep
2013 04:48:41 +0200 (CEST)
Received: from [] (helo=node02.externaldomainname.be)     by
mx10-05.externaldomainname.be with esmtp (Exim 4.72)  (envelope-from
<subjugationor2@google.com>)            id 1VGgf9-0007kl-NJ      for info@ourdomainname.be.be; Tue,
03 Sep 2013 04:48:25 +0200
Received: from [] (helo=client-       by
node02.externaldomainname.be with esmtp (Exim 4.80.1) (envelope-from
<subjugationor2@google.com>)            id 1VGgfU-00069T-Td    for info@ourdomainname.be.be; Tue,
03 Sep 2013 04:48:37 +0200
Message-ID: <52254BDC.502040@ourdomainname.be.be>
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <info@ourdomainname.be.be>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv: Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <info@ourdomainname.be.be>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: softfail (node02.externaldomainname.be: transitioning domain of google.com does not designate as permitted sender) client-ip=; envelope-from=subjugationor2@google.com; helo=client-;
X-SPF-Result: node02.externaldomainname.be: transitioning domain of google.com does not designate as permitted sender
X-Sender-Warning: Reverse DNS lookup failed for (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4jsjAhrGE5yAAGixSSTJ9oYsd24rJ//Z8NFSaENBD0NLxQssTjZU
Authentication-Results: externaldomainname.be; spf=softfail smtp.mailfrom=subjugationor2@google.com
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
  pts rule name              description
---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                              for more information.
                             [URIs: carersinholland.com]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization-AuthSource: SBS-SERVER.ourdomainname.be.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.10004.505;OrigIP:unavailable
Question by:Benderama
  • 4
LVL 15

Accepted Solution

jerseysam earned 2000 total points
ID: 39459972
Although for exchange 2003 please read:


Specifically look for the Event ID 1708 which should point you to an infected PC.

If this is the case then change passwords and clean PC.
LVL 15

Expert Comment

ID: 39459973
LVL 37

Expert Comment

by:Neil Russell
ID: 39460002
From reading the message headers, these emails did NOT originate inside your network.
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!


Author Comment

ID: 39460035
Hello, I can't find any Event ID 1708.

so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?

The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.

i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
LVL 15

Expert Comment

ID: 39460059
Yes if no Event ID 1708 then not from internal, would be my guess.

I would still update and scan all PC's anyway.

But need to get your Spam levels increased and message Filters etc.

Is your mail spam checked before it is collected via POP3 connector on your server?
LVL 15

Expert Comment

ID: 39539276
Any joy with this one benderama?

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Here is a method which can be used to help resolve a "Content Index Failed" error on a Microsoft Exchange Server.
After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question