My co-worker is receiving several Undeliverable emails, when she did not send any email to the recipients. How can that be?

Over the last few hours, a co-worker has received 5 emails, from different IP addresses, with the subject line:  "Undeliverable: any text here".

Related IP: 104.47.2.210
Related IP: 104.47.2.215
Related IP: 204.154.183.70
Related IP: 88.87.45.45
Related IP: 88.87.45.47

When I review the Exchange Server logs, there are no entries of her sending any email to the recipients.  

When I look at the complete Header of the emails, I see they originated in a country other than the US, then are routed through mail Servers in the US, then to her Inbox.

Her email address is the "Reply To" address.

How can I identify the problem here?
eemmpphAsked:
Who is Participating?
 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
Thanks. It is likely spoofed email. I depend upon my spam filter to stop this. If the spam filter does not stop this, then just delete the return emails
0
 
JohnBusiness Consultant (Owner)Commented:
Check to see if the person’s email address has been spoofed. This is very common and is normally caught by a good spam filter. Make sure the the user ‘ s machine has not been compromised and is sending out spam
1
 
eemmpphAuthor Commented:
how do i check to see if her email address as been spoofed?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
eemmpphAuthor Commented:
What do I check for, to see if her compuer has been compromised?  What are the "signs" of a compromise?
0
 
JohnBusiness Consultant (Owner)Commented:
You cannot check for spoofing but you can check thoroughly for viruses
0
 
eemmpphAuthor Commented:
I do have Symantec Enterprise Protection running on her computer, which does a full system scan every night.
0
 
Jason CrawfordTransport NinjaCommented:
What you're describing sounds like backscatter.  Your best bet will be to configure SPF, DKIM, and/or DMARC rDNS records and, if the NDRs are causing an issue for the recipient, possibly a transport rule to block NDRs containing the user in the Reply-To address.
1
 
eemmpphAuthor Commented:
Thank you John, I appreciate it.
0
 
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.