We have a single sbs2008 server running exchange, with around 10 local users all running Windows V7 64 bit pro. We are using AVG for anti virus, and have malwarebytes enterprise edition installed also.
Every few days we seem to get an e-mail apparently issued from one of our workers, ie from a genuine network user, to several of our clients.
The properties of the e-mail indicates that the email originated from our public IP address, but we cannot find anything in the sent items folder for the user it is issued from.
II can see several e-mails in the deleted items folder for this user which indicates that some messages were undeliverable, but some are clearly getting through the the recipient, but I cant see any trace of these.
The undeliverable e-mail shows :-
Diagnostic information for administrators:
Generating server: SBS2008.tgbdom.local
gweu3c.linde.com #550 #5.1.0 Address rejected. ##
Original message headers:
Received: from SBS2008.ourdomain.local ([fe80::415b:f737:c0e7:3927]) by
SBS2008.ourdomain.local ([fe80::415b:f737:c0e7:3927%10]) with mapi; Mon, 7 Sep
2015 12:41:00 +0100
From: malcolm surname <email@example.com>
To: "Simon.firstname.lastname@example.org" <Simon.email@example.com>, "firstname.lastname@example.org"
<email@example.com>, "firstname.lastname@example.org" <email@example.com>,
Date: Mon, 7 Sep 2015 12:40:48 +0100
Subject: Yours invoice-39829unsqc
Thread-Topic: Yours invoice-39829unsqc
The email has a .zip attachment, which I presume is a virus.
How do we identify how this is being delivered, and how do we go about stopping it?