User receives NDR report of email that he hasn't sent or not found in sent items. Exchange tracking and Mail GW show trace that user sent the mail.

I believe one of our users Email address has been spoofed because he is receiving non-deliverable messages of mails he hasn't sent or doesn't exist in his mailboxes "sent items". Although annoying I think that's pretty harmless.

However what feels alarming to me is that our messaging gateway shows the attempt to send such messages and I can even find them using Exchange 2010 Server tool Message Tracking.
What's common to these mails is that at the start of the subject line it says "Unread:" (or not read, I don't know the term in english because we have different locale) before the actual heading.
Should I be alarmed about this or is this expected behavior when someone receives NDR reports of emails that they have not sent.
Timo VAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>> I can even find them using Exchange 2010 Server tool Message Tracking.

I'm assuming you mean the original message that produced the NDR? Check this users machine has no adware/viral infections on it.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael B. SmithExchange & Active Directory ExpertCommented:
And if the user's machine is clean, you should be able to use message tracking to find the source IP address from whence the message originated.
David Johnson, CD, MVPOwnerCommented:
one can save a reply to the folder that had the original message.  does the source IP point to the users computer?
Timo VAuthor Commented:
I think this article describes what has happened.

But still it feels weird that I can't find any trace of these emails being received by our mail gateway or Exchange server.

Symantec full scan didn't find anything and yes, the IP points to the users computer.
Michael B. SmithExchange & Active Directory ExpertCommented:
Checking for viruses/malware and verifying the source IP are the two best places to start with this problem.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.