Excessive amounts of spam targeted at one user

Both look to be externally received:

Received: from nad-fb63e897ada (77.29.186.218)
Received: from kristina (77.xx.yyy.123)

What spam software you using on exchange ?

I certainly agree they look like externally received but why do they get an SCL value of -1 assigned to them?  That seems to be treated as 'internal'  and all antispam software allows it into the user's Inbox.  I was using Microsoft's Forefront before all this happened, but I removed it to see if it made any difference. (I thought Forefront may have been assigning the -1 value). I have re-enabled Exchange's inbuilt antispam features including content filtering which Forefront turned off. None of this has got me anywhere the problem was happening before with Forefront and is still happening now with only Exchange native antispam features.  They don't seem to do much good.  Should I trial something like Trend Micro or GFI ? I was hoping to get a handle on where this was coming from before taking appropriate action.

If the messages are being tagged with -1 SCL then nothing else is going to touch them.
Does your email come in directly? Has the end user whitelisted anything that could be the cause of it?

Simon.

So this is the real issue.  How can I find out who or what is assigning the -1 SCL?  The user has only known good contacts in his whitelist and the same happens to me when I download his email onto a virgin install of Outlook 2013 with no whitelist.  The headers were taken from my clean Outlook install and the emails went straight into my new empty Inbox.

forget outlook it has nothing to do with it.

You need to check exchange and see how your mail is being delivered (directly?) and what AV service you have.

Yes the mail is being delivered directly. The MX pointer points to our Small Business Server 2011 which is running Exchange 2010.  There is no Smart Host or anything. AV is only what comes with SBS 2011 (No third party products).

risky!

Check what settings your box has

http://technet.microsoft.com/en-us/library/bb691082(v=exchg.141).aspx

You really need some AV/AS product on the server asap. No way I would let a production server be exposed. Cryptolocker for example ?

Content Filter Agent is enabled and Priority 5.  I don't know if that's good or bad? The output from Get-TransportPipeline command is attached. Don't really know what t5his means either.
Get-TransportPipeline.docx

Does the user having the large amount of SPAM have the issue on a workstation that Outlook is getting all the email? For example if Outlook was closed and the user only used OWA would there still be the problem? To me it sounds like there is an issue with a compromised workstation since it's only one user but it could be the server.

I would run malware bytes on the workstation having the problem, run a full scan it's likely there's a virtual SMTP sending email or relaying it creating all the SPAM.

works2011 - per the headers posted the mail is generated externally to the company.

I agree its an almost certaininty that every PC with email access is infected as they have no AV/AS software in place to catch any and we all know when monitoring an email server loads of it are caught daily.

Seriously go grab an eval copy of Avast small business or GFI whatever NOW and get it on your server then let it scan the entire mail database!

We have had new clients in similar situations you find yourself in and they cant believe it after the first scan when we present a report of 6 pages of A4 showing crap deleted from the mail database. You can allways rely on a user to double click a zip attachment on a fedex email!!

I will run a Malwarebytes full scan on his workstation today. (7.35am here at the moment). The 'virtual SMTP' creating all the spam was where I was thinking when I first posted this problem. But I need some help in identifying it.  Presumably it could be a spam bot running on any of the PCs in the network.  It is difficult to get this user to close down outlook for any length of time, He gets a lot of legitimate mail, has multiple shared folders shared calendars, task lists etc , And he is the business owner!

Whitelists in Exchange are stored in the mailbox, not the Outlook client. Therefore a new installation of Outlook would show the same thing.

I would start by flushing out the white list, in most cases it isn't required.
The white list is used by Exchange to filter email, so that is the most likely cause if there is no applications on the server doing the job.

Simon.

OK. Here's what I've done today.  Firstly I ran a full Malwarebytes scan on the users m/c and it came up clean after a two hour scan. Zero suspect objects! . I also downloaded Avast! Email Server Security and ran a full antivirus scan on my server.  This took about 5 hours but also came up clean!  However, the antispam feature of this protect is obviously filtering incoming emails and has detected about 75% of our incoming email as spam.  It is now labelling it with ***SPAM*** in the title but sending it on to the user anyway.  It still comes into his inbox.  There is an option to delete it which seems to work although this way I have no idea what it's deleting, where it is coming from or whether there are any false positives being deleted.  Avast! doesn't seem to have many options like quarantining etc.  All of the users are running Microsoft Security Essentials  which is green , up-to-date and showing no errors on the one's I've looked at.  What should I do now?

who has IP address 192.168.8.4 on your network?

That is the Small Business Server running Exchange

make a rule in outlook to dump any email with ****SPAM**** into the junk folder.

have the user receiving the email change his password, since it's only one user this may help.

Trend Micro runs a free trial you may want to try a deep scan on the server.

What does http://mxtoolbox.com tell you

Eventually tracked down culprit to an infected workstation only ever used to drive a smart board in our conference room.