Mac email spoofing?

Okay, situation where C level exec has a Mac bought and put on network without IT involvement.  (Yes, Know...)
Repeatedly having complaints over time of emails going out from him that are not him.
Connected via exchange 2008 server using outlook mac 2011.
Exec put own av on there...
Travels a lot and IT has nothing to do with his appliances.

Emails instances examples - over 10 email received b someone in his address book, repping time share/travel loc..
Email from him to others in address book about a deal closing.

Advice on other than ensuring exchange server I am wondering if something on mac is spoofing or setup as a smtp server?

Any suggestions on best course to address?  bullet list please would be great.  Thanks.
Who is Participating?
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Are you sure the emails are actually originating from his machine? Check the originating IP in the message headers. A spammer may just be forging his return address.

Have someone on the network team check the firewall for any SMTP traffic originating from his system. (In normal circumstances, your firewall shouldn't allow SMTP traffic out from anywhere except authorized servers)

Check the Exchange logs to see if those messages really came from his system.

You said he has AV on there, but make sure it is up to date and run a full scan.
dee30Author Commented:
I can hardly ever get original emails attached and sent to me in format that allows me to see header info.  When I do they are not originating from our server.  I have server not allowd to send unless specific ips like nw fax machines etc... I will look again at all above suggestions.  Let me know of anything else...  Thx
It is extremely unlikely the e-mails are originating from the Mac. Brian B's suggesting that the reply address is being spoofed is most likely.

You can run Little Snitch on the Mac to see if there are any unwanted outgoing network connections.

But, really, you need to get one or two of the original e-mails complete with full headers.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

dee30Author Commented:
Wait I may have described the instance wrong because I just got some more detail and email with actual header info visible.
The emails show coming from a reputable hotel and apologizing for accidently requesting feedback about stay(C level never stayed here). "Please contact us if any questions".  It says "Dear C-Level Execs name" this was received 10+ times BY A business contact in said c-level exes address book.  They emailed him about it and he intern emailed me.  I reached out to the recipient and asked they forward the email to me for review.  They deleted the others but kept one and forwarded it to me as an attachment and that is why I can see it and the header.

I change the domain literal name around and recipient for identity reasons...    

Received: from ( by ( with Microsoft SMTP Server id;
 Wed, 29 Apr 2015 18:46:14 -0400
Received: from ( []) by; Wed, 29 Apr 2015 18:46:10 -0400
Received: from ( by id
 h85fj41vu703 for <>;Wed, 29 Apr 2015 18:46:10 -0400
 (envelope-from <>)
From: Wyndham Vacation Rentals <>
To: "john doe" <>
Subject: Please accept our apology for email Tell Us About Your Stay
Thread-Topic: Please accept our apology for email Tell Us About Your Stay
Thread-Index: AQHQgs5Lxg9uZvOZ+EmqAxkIMTE9oA==
Date: Wed, 29 Apr 2015 22:45:49 +0000
Message-ID: <3F3D2E8197A6A58FD92D32C6BA4A061496DE1A1B@SR1PVWAPP05>
List-Unsubscribe: <>
Reply-To: ""
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/alternative;
The mail seems to have originated from in Sterling Virginia. See:
They seem like a spammer platform.  They either messed up their mass mailings or they've got someone else injecting spam through their system.
dee30Author Commented:
so basically direct marketing(mass mail/spamming) company that messed up on their mailing and sent dups as well as mismatching "Attention C Level exec name" but to an email address that in said C-level execs address book?    I'm not sure what if anything can be done and how to explain this?
It could be caused a trojan on someone else's computer which sends e-mails to people in that person's address book spoofing the return address from a different contact in the same address book, too.

Unless your user is using as their ISP or Mail provider, these mails do not likely come from your user's computer.
You could make a complaint to the "abuse" mailbox in the link I sent you earlier. (
dee30Author Commented:
Thank you.  reported and assigning points; moving on from this topic... :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.