Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Reading Mail Header

Status
Not open for further replies.
Davetoo

Davetoo

IS-IT--Management
Oct 30, 2002
4,498
US
I have a user, user1, that appears to be receiving emails from another user, user2. However, user2 is not sending them, and this is backed up by the fact that these emails are not showing up in user2's sent folder. User2 is a manager, so I'm convinced he's not sending them.

I had user1 attach the emails to me so I could look at the Internet header (open email, view/options using Outlook 2000). When I do this, the Internet header info block is blank.

Now, doesn't this mean that this email originated within my Exchange server and didn't traverse the Internet? If that's true, then what should I be looking for as far as finding the source of these emails?

TIA

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Sort by date Sort by votes
Another twist I just discovered. The email address from user2 is not the correct address for this user. We changed his email address a few months ago because of the amount of spam he was getting, and this email was sent using the old address. I tested by sending an email to this addy and it was undeliverable.

BTW, the email is spam, it's an ad for pills.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
Sounds like maybe your server is open for relay.

In Exchange Manager, expand your organization, admin group, server, protocols, and smtp. Right click on the SMTP server you're using and go to properties. Go to the access control tab, and make sure 'Only the list below' is selected. Then add any machines on your network that need to send mail (other exchange servers, unix/linux servers) to that list.

Marc Creviere
 
Upvote 0 Downvote
Thanks for the reply.

The Exchange server is "locked down" properly, not open for relaying.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
Are you up to date on patches (specifically the recent RPC vulnerabilities) and virus scan? I've not heard of anything specific that would cause this, but the fact that there were no headers indicates that it did in fact originate from your exchange server. You might try tracking the message using your exchange system manager (assuming tracking's enabled) to see if that has any useful information.

The address for user2, did it resolve to a friendly name or is it showing the actual fully qualified address? If user1 double-clicks it, does it show the same address in the display name and e-mail address?

Marc Creviere
 
Upvote 0 Downvote
Likely someone somewhere has your user's old email address listed in his/her address list and then became infected with one of these viruses (or is it viri?) that spoofs the return address with an address randomly selected from the victim's personal address list and sends it to other addresses listed there. Thus the message appears to have come from your user.

Since there was no header information, I would suspect someone within your network has (or had) such a virus and has your user's old email address still in his/her personal address list. If this is true and if you keep anti-virus up to date on your Exchange Server, then the virus would likely have come from the victim using his/her work computer to access personal mail on AOL, Hotmail, etc.

The really irritating part about this scenario is that you can receive complaints from people outside your organization that think that your users have sent them virus-laden messages, yet there is nothing you can do because it didn't really come from your user in the first place.

Hope this helps.
 
Upvote 0 Downvote
Marc - Yes, fully patched, and running Symantecs Corp, which is up-to-date both on file server as well as Exchange Server. I don't have message tracking on, downloaded the instructions on how to do that, but I'm not sure if it will reveal what I need. The address did not resolve to a friendly name for user2. However, there is a third user, user3, that is doing the identical thing as user2 to user1 (sorry if this is getting confusing). User3's email did resolve to it's friendly name in my org. The weird part is user3 has now reported that they've been receiving identical emails from user1, but user1 isn't sending them. User1's anti-virus is up-to-date, user2 and user3 are all protected by our corporate antivirus, which updates daily.

I don't really suspect a virus simply because the email that is being sent is spam, it's an ad for purchasing pills across the Internet. But, I could be wrong. It doesn't seem to be affecting anything adversly, just an annoyance I'd like to track down and solve.

Thanks (so far! ;-) )

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
951
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
1K
Priyanka_Chauhan
Priyanka_Chauhan
BroBias
  • Locked
  • Question
mailbox databases dismounting frequently without followable reason
Replies
1
Views
1K
BroBias
BroBias
IcarusHallsorts
  • Locked
  • Question
VBA to create output file of headers of selected emails
Replies
0
Views
1K
IcarusHallsorts
IcarusHallsorts
david jackson
  • Locked
  • Question
Extract only the subject and recipients from a mailbox
Replies
0
Views
1K
david jackson
david jackson

Part and Inventory Search

Sponsor

Back
Top