User's email address is being spoofed.


The email address of a user of ours is routinely being spoofed by spammers.

Is there a report in the Office 365 portal to let us see the IP address of the computer that used her email to send?

If yes, please advise what to click in order to run that report.

Who is Participating?
Mal OsborneConnect With a Mentor Alpha GeekCommented:
Sounds like you need to look at implementing an SPF record.

This is a record in DNS, which specifies the IP addresses that email from your domain is expected to be sent from.  The receiving mail server can then then check, and see if it matches. This is a common form of antispam.

When spammers send spam, they usually impersonate a legitimate email address, as you are seeing. Impersonating  an email address that is backed by an SPF record could still be done, however it would mean a lot of the spam would not get to its destination. Hence, spammers usually pick an email address without an SPF record.

Having an SPF record will also mean that legitimate email you send will tend to not be accidentally blocked as spam.  SPF is pretty simple, provided you can figure out all of the IP addresses that should send email for your domain.

More on SPF here:
Todd NelsonConnect With a Mentor Systems EngineerCommented:
If you have one of the emails, you should be able to grab that information from the message headers.
Dr. KlahnConnect With a Mentor Principal Software EngineerCommented:
Is there a report in the Office 365 portal to let us see the IP address of the computer that used her email to send?

If the spam is not coming out of your network, then no.  You need at least one -- preferably a large selection -- of the offending emails to examine the origination headers.  That information may not be useful, though.

If the origination header shows "" to "192.168.0.yyy" and so on, all you know is that the email originated inside somebody's LAN.  Email routing headers can be, and are generally, spoofed in spam.

If you get a set of matching origination headers from trackable IPs, it still may not do any good.  Spoofed spam emanating from Russia, Africa, the Middle East or the Far East is not stoppable.

What you can do:  If your MTA and MX setup does not include SPF keys, DKIM and DMARC - then you should set them up.  This will take care of the problem at sites which check these anti-spam features.
Olgierd UngehojerConnect With a Mentor Senior Network AdministratorCommented:
The most of the time IPs are different with every single email. You have to change password and then check what user has infected computer. After cleaning you can use this email address again.
Dr. KlahnPrincipal Software EngineerCommented:
EE requested stale question closure.  All comments apposite and addressed the topic.  Points assigned according to the magnitude of the contribution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.