Mac email spoofing?

Okay, situation where C level exec has a Mac bought and put on network without IT involvement.  (Yes, Know...)
Repeatedly having complaints over time of emails going out from him that are not him.
Connected via exchange 2008 server using outlook mac 2011.
Ipad
Iphone
Exec put own av on there...
Travels a lot and IT has nothing to do with his appliances.

Emails instances examples - over 10 email received b someone in his address book, repping time share/travel loc..
Email from him to others in address book about a deal closing.
etc...

Advice on other than ensuring exchange server I am wondering if something on mac is spoofing or setup as a smtp server?

Any suggestions on best course to address?  bullet list please would be great.  Thanks.
dee30Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Are you sure the emails are actually originating from his machine? Check the originating IP in the message headers. A spammer may just be forging his return address.

Have someone on the network team check the firewall for any SMTP traffic originating from his system. (In normal circumstances, your firewall shouldn't allow SMTP traffic out from anywhere except authorized servers)

Check the Exchange logs to see if those messages really came from his system.

You said he has AV on there, but make sure it is up to date and run a full scan.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dee30Author Commented:
I can hardly ever get original emails attached and sent to me in format that allows me to see header info.  When I do they are not originating from our server.  I have server not allowd to send unless specific ips like nw fax machines etc... I will look again at all above suggestions.  Let me know of anything else...  Thx
0
strungCommented:
It is extremely unlikely the e-mails are originating from the Mac. Brian B's suggesting that the reply address is being spoofed is most likely.

You can run Little Snitch http://www.macupdate.com/app/mac/10426/little-snitch on the Mac to see if there are any unwanted outgoing network connections.

But, really, you need to get one or two of the original e-mails complete with full headers.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

dee30Author Commented:
Wait I may have described the instance wrong because I just got some more detail and email with actual header info visible.
The emails show coming from a reputable hotel and apologizing for accidently requesting feedback about stay(C level never stayed here). "Please contact us if any questions".  It says "Dear C-Level Execs name" this was received 10+ times BY A business contact in said c-level exes address book.  They emailed him about it and he intern emailed me.  I reached out to the recipient and asked they forward the email to me for review.  They deleted the others but kept one and forwarded it to me as an attachment and that is why I can see it and the header.

I change the domain literal name around and recipient for identity reasons...    

Received: from us-smtp-1.mimecast.com (205.139.110.120) by
 123Exchange.main.com (10.100.1.180) with Microsoft SMTP Server id 14.3.181.6;
 Wed, 29 Apr 2015 18:46:14 -0400
Received: from smtp243.knotice.com (smtp243.knotice.com [128.121.15.243]) by
 us-mta-34.us.mimecast.lan; Wed, 29 Apr 2015 18:46:10 -0400
Received: from www.knotice.com (10.0.2.115) by smtp243.knotice.com id
 h85fj41vu703 for <johnd@company.com>;Wed, 29 Apr 2015 18:46:10 -0400
 (envelope-from <vacation@email.wyndhamvacationrentals.com>)
From: Wyndham Vacation Rentals <vacation@email.wyndhamvacationrentals.com>
To: "john doe" <johnd@company.com>
Subject: Please accept our apology for email Tell Us About Your Stay
Thread-Topic: Please accept our apology for email Tell Us About Your Stay
Thread-Index: AQHQgs5Lxg9uZvOZ+EmqAxkIMTE9oA==
Date: Wed, 29 Apr 2015 22:45:49 +0000
Message-ID: <3F3D2E8197A6A58FD92D32C6BA4A061496DE1A1B@SR1PVWAPP05>
List-Unsubscribe: <mailto:vacation.7943539N55719N92418@email.wyndhamvacationrentals.com>
Reply-To: "vacation.7943539N55719N92418@email.wyndhamvacationrentals.com"
      <vacation.7943539N55719N92418@email.wyndhamvacationrentals.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: 123Exchange.main.com
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
MIME-Version: 1.0
Content-Type: multipart/alternative;
      boundary="_000_3F3D2E8197A6A58FD92D32C6BA4A061496DE1A1BSR1PVWAPP05_"
0
strungCommented:
The mail seems to have originated from KnotIce.com in Sterling Virginia. See:  http://whois.domaintools.com/knotice.com
0
serialbandCommented:
They seem like a spammer platform.  They either messed up their mass mailings or they've got someone else injecting spam through their system.  https://en.wikipedia.org/wiki/Knotice
0
dee30Author Commented:
so basically direct marketing(mass mail/spamming) company that messed up on their mailing and sent dups as well as mismatching "Attention C Level exec name" but to an email address that in said C-level execs address book?    I'm not sure what if anything can be done and how to explain this?
0
strungCommented:
It could be caused a trojan on someone else's computer which sends e-mails to people in that person's address book spoofing the return address from a different contact in the same address book, too.

Unless your user is using Knotice.com as their ISP or Mail provider, these mails do not likely come from your user's computer.
0
strungCommented:
You could make a complaint to the "abuse" mailbox in the link I sent you earlier. (abuse@enom.com)
0
dee30Author Commented:
Thank you.  reported and assigning points; moving on from this topic... :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.