Customer receiving kickback emails for messages she did not send

Hi everyone,
I have a client who is receiving kickback messages for email that she did not send. At one time she was receiving a ton of these messages. I ran virus and malware scans on her pc and did some general cleanup. Since then the amount of kickbacks she is receiving is dramatically less but she is still getting a few everyday. My fear is that someone is using her email address to send spam and that it will eventually get the whole company blacklisted. She is the only one in the organization that is having this problem. She is using Outlook 2010 and their Exchange version is 2010 also. I am not too knowledgeable when it comes to troubleshooting problems like this so I am hoping one of you experts can help me out. Here is the content of one of the kickback messages:
#< #5.1.10 smtp;550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup> #SMTP#
Original message headers:
Received: from ( by ( with Microsoft SMTP
 Server (TLS) id; Wed, 29 Apr 2015 19:18:29 +0000
Received: from (2a01:111:f400:7c10::1:199) by (2a01:111:e400:2a::37) with Microsoft
 SMTP Server (TLS) id via Frontend Transport; Wed, 29 Apr 2015
 19:18:29 +0000
Authentication-Results: spf=none (sender IP is;; dkim=none (message not signed)
Received-SPF: None ( does not designate
 permitted sender hosts)
Received: from ( by ( with Microsoft SMTP
 Server (TLS) id via Frontend Transport; Wed, 29 Apr 2015 19:18:29
Received: from (
 []) by; Wed, 29 Apr 2015 15:18:26
Received: from ([]) by        (mary) with
 ESMTPA (Nemesis) id EvlW3R-8AzJYEunft-3CQD4z for
        <>; Wed, 29 Apr 2015 14:18:31 -0600
Message-ID: <>
Date: Wed, 29 Apr 2015 14:18:31 -0600
From: mary <>
MIME-Version: 1.0
Subject: Unusual activity in your American Express
To: <>
X-MC-Unique: zbZ5Ab52SrOuRBLQeImhSA-1
Authentication-Results:; spf=none (spfCheck: is neither permitted nor denied by domain of client-ip=;;;
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:;CTRY:US;IPV:NLI;EFV:NLI;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR02MB505;
Content-Type: multipart/alternative;
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does your client ever log into her mail through a web interface?  A common problem is staying logged in to webmail and then browsing the internet and hitting something that will send mail through the open email account.

Have you changed the password for the account?
*** Hopeleonie ***IT ManagerCommented:
The User must change her password. Did you try that?
mboudreauxAuthor Commented:
She doesn't check her email on a website but does access it through an IPhone. And yes I did change her password yesterday afternoon. She did receive another kickback message since I did that. Thanks for the replies..
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

I would have hoped that you obscured the person's actual email address for purposes of posting here.

Based on the Subject: Unusual activity in your American Express I would immediately jump to the conclusion that your user's email address has been used as the sender address in a phishing campaign. It's very easy for someone to pretend that a mail has been sent by any given email address and this is often done in an attempt to improve the optics of phishing email. Because they are labeled as coming from someone the recipient presumably trusts, the chances are increased that the email will be opened and the crucial link will be clicked on.

Unfortunately, the way email systems exist today provides very little remedy for this kind of scamming. Spreading the knowledge that this can happen is good and may help ameliorate the reputation damage.

The fact that the email bounced, in this case, means that this particular email can have done no harm. But there are undoubtedly other emails that did not bounce, and you can't learn who those recipients are in order to control damage.

Administrators who blacklist domains based on phishing expeditions are just shooting themselves in the foot. It won't stop the phishing more than temporarily and will likely prevent legitimate communications.
mboudreauxAuthor Commented:
So basically there's no real way to stop it except for maybe changing her email address?
I'm trying to understand part of your response as I've run into this situation numerous times before and expect to run into it again.  The more I know about this, the better I am prepared to deal with it in the future.

In particular "your user's email address has been used as the sender...  very easy for someone to pretend..."

If I understand those comments properly, you are suggesting the possibility that someone is sending emails that  have Mary's email address as the sender but that they were not actually sent by her and (here is the important part) they were not actually sent through that email account.  I recognize this possibility, but would not have expected the rejection to get back to Mary under those circumstances since it was not really sent through her account.

If the email was sent through Mary's account (but not by her personally) I can imagine three scenarios:
1)   Someone has taken over her email program on her computer or iPhone and sent the messages from there
2)   Someone has her email password and is sending the mail through her account but not necessarily through one of her devices.  Changing her password should have resolved this unless there is still a rogue program on her computer that could monitor such a change.
3)  Someone has figured out how to send mail through her account at her email server without her password.  I would expect that any halfway respectable email server wouldn't allow this.

Please let me know if any of my suppositions are wrong or if my logic is faulty.
The three scenarios you outline would indeed by issues of concern. These situations are alarming because of those possibilities, but - most often - the sender impersonation happens without any compromise of the sender's email account.

To get the answer, you have to look at the headers of the failed message (not the headers of the Failed-Delivery-Report itself, which were supplied here). Usually you can spot the improper sender's IP address (but the improper sender may also be an innocent PC that's been zombified) if you analyze the chain of Received: headers. If all of the Received: headers look proper, you may indeed have a compromised email account.

Yes, most respectable email servers do not allow relay (your number 3). But anyone can put an email server on the internet and improperly configured ones can be discovered and exploited without any particular bad intent on the part of the owner of the mail relay.

Given the existence of open relays, all you have to do to impersonate someone is to give their email address at the right spot in the SMTP conversation on port 25.

But a Failed-Delivery-Notice goes back to the stated sender, which is how you discover that your email name has been spoofed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.