Spam messages on exchange 2010 server

Hello,

Today we are getting alot of spam mails on one of our servers.
Could this be an infection on our network? All the mails are comming from our domainname and i'm not sure if all of them are spoofed or not?

below you can find the mail header (I changed our domainname to "ourdomainname"
and "eternaldomainname" We are currently using the pop3 connector on the SBS 2011 server to retrieve the mails.



Received: from SBS-SERVER (127.0.0.1) by SBS-SERVER.ourdomainname.be.local
(127.0.0.1) with Microsoft SMTP Server id 14.1.438.0; Tue, 3 Sep 2013
04:52:48 +0200
Received: by [SBS-SERVER.ourdomainname.be.local (Microsoft Connector for POP3
Mailboxes)] id <"{7E84D4B0-3B9E-416E-8C0E-4F682E1E16A6}"@ourdomainname.be.local>;
Tue, 3 Sep 2013 04:52:48 +0200
Resent-Sender: <pop3connector@ourdomainname.be.local>
Return-Path: <subjugationor2@google.com>
Delivered-To: info@ourdomainname.be.be
Received: (qmail 29086 invoked by uid 1010); 3 Sep 2013 02:48:41 -0000
Received: from unknown (HELO mx10.externaldomainname.be) (127.0.0.1)  by
mx-03.externaldomainname.be with SMTP; 3 Sep 2013 02:48:41 -0000
Received: from mx10-05.externaldomainname.be (mx10-05.externaldomainname.be [62.182.61.105]) by
mx10.externaldomainname.be (Postfix) with ESMTP            for <info@ourdomainname.be.be>; Tue,  3 Sep
2013 04:48:41 +0200 (CEST)
Received: from [62.182.60.245] (helo=node02.externaldomainname.be)     by
mx10-05.externaldomainname.be with esmtp (Exim 4.72)  (envelope-from
<subjugationor2@google.com>)            id 1VGgf9-0007kl-NJ      for info@ourdomainname.be.be; Tue,
03 Sep 2013 04:48:25 +0200
Received: from [201.240.25.78] (helo=client-201.240.25.78.speedy.net.pe)       by
node02.externaldomainname.be with esmtp (Exim 4.80.1) (envelope-from
<subjugationor2@google.com>)            id 1VGgfU-00069T-Td    for info@ourdomainname.be.be; Tue,
03 Sep 2013 04:48:37 +0200
Message-ID: <52254BDC.502040@ourdomainname.be.be>
Date: Mon, 2 Sep 2013 21:48:11 -0500
From: <info@ourdomainname.be.be>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <info@ourdomainname.be.be>
Subject: Komt te weten hoe mensen van uw beroep met 30% meer kunnen verdienen!
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: softfail (node02.externaldomainname.be: transitioning domain of google.com does not designate 201.240.25.78 as permitted sender) client-ip=201.240.25.78; envelope-from=subjugationor2@google.com; helo=client-201.240.25.78.speedy.net.pe;
X-SPF-Result: node02.externaldomainname.be: transitioning domain of google.com does not designate 201.240.25.78 as permitted sender
X-Sender-Warning: Reverse DNS lookup failed for 201.240.25.78 (failed)
X-Filter-ID: XtLePq6GTMn8G68F0EmQve8P4jsjAhrGE5yAAGixSSTJ9oYsd24rJ//Z8NFSaENBD0NLxQssTjZU
Ey4vm0HJJ/hoGECMHBYAF/orpnVDJKmMMjwow6TbZwfl/P2ph186CmirRzJrIxbUEQuerTMJNEPO
pTYU/X89ghzlSph6Vv7qf0qesBfBcb6zAOhH54HJzkrOCbOFVgCd5sotaRc6IYCaVu4tL02rwAls
OJQOWvTfX8TdqEXkwxwMjsp2mNApczbw4NtG1DP2+Xf/ghgDK1CWg9H8VX2op75oH/kacb7Nexzh
l6/yrzoxWGO7qHLWMrWtMRGpicEQOmdxqTzlV6NwWyI7ROagOfW+S5AvJFCg3qv1TVIpbUymIApx
Q97YKllCUxOUykgxcKIwQ1MQJWKWs7/QTnMesWJuPTfmkv0BIkUL/j1Y48GvmeURQjjEZMoUbQXa
TfrFTPLWa3C/59dqCbBnZOHZ7/P36hIJghJk/iGTa2C3FpetN1DL040cuzN1AMlcK/JP6lAQQgG9
ow==
Authentication-Results: externaldomainname.be; spf=softfail smtp.mailfrom=subjugationor2@google.com
X-Mailfiltering-Class: whitelisted
X-Mailfiltering-Evidence: sender
X-Recommended-Action: accept
X-Virus-Scanned: Passed
X-Spam-Scanned: 10
X-Spam-Report: The following rules were applied for tagging this message
  pts rule name              description
---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
                             See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: carersinholland.com]
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
X-Virus-Scanned: Passed
X-Spam-Scanned: -1.5
X-Spam-Status: NO
X-Scanned-By: externaldomainname mailfilter
X-MS-Exchange-Organization-AuthSource: SBS-SERVER.ourdomainname.be.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.10004.505;OrigIP:unavailable
BenderamaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jerseysamCommented:
Although for exchange 2003 please read:


http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn%27t-send.html

Specifically look for the Event ID 1708 which should point you to an infected PC.

If this is the case then change passwords and clean PC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jerseysamCommented:
0
Neil RussellTechnical Development LeadCommented:
From reading the message headers, these emails did NOT originate inside your network.
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

BenderamaAuthor Commented:
Hello, I can't find any Event ID 1708.

so if the mails did not originate from inside the network, I guess one of our client pc's with our adress list got infected and is sending out the spam?

The weird part is that its really good spam, its really looks like legit mail and our spamfilters are not seeing this as spam.

i'll guess i'll just tighten up the anti-spam software for a few days and see what happens.
0
jerseysamCommented:
Yes if no Event ID 1708 then not from internal, would be my guess.

I would still update and scan all PC's anyway.

But need to get your Spam levels increased and message Filters etc.

Is your mail spam checked before it is collected via POP3 connector on your server?
0
jerseysamCommented:
Any joy with this one benderama?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.