in house admin emails from unknown source

[blubomber]

I am running exchange 2003 with SP2. In the past i have gotten those random emails that claim to be from admin@mycompany.com or similar that wind up going either to a user's box or it is just recorded in the logs as going to bob@mycompany.com.

Recently it has gotten more specific and is targeting more users emails. such as janed@mycompany.com. When i use the message tracking feature bilt into exchange, the first line entry is, SMTP:Message Submitted to Advanced Queuing which does not follow the norm for inhouse emails. The normal first line i am used to seeing is, SMTP: Store Driver; Message submitted from store.

Could the server be infected with a virus, trojan or some spyware? All other email is flowing normaly. I am also running McAffey Total protection for small business.

Thank you for any help in trouble shooting this issue.

 

[Marcs41]

Beside tracking, did you check the header manually?

It probably will reveal it originates from the 'outside'.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[blubomber]

Ok, i checked the email header and got this IP address, 24.158.51.87. here is the tracert lookup,

Tracing route to ool-18b93357.dyn.optonline.net [24.185.51.87]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms 172.20.x.x
2 7 ms 6 ms 6 ms 63-192-x-x [63.192
.x.x]
3 7 ms 6 ms 6 ms dist2-vlan60.renonv.sbcglobal.net [63.201.16.134
]
4 7 ms 6 ms 6 ms bb1-g2-3-0.renocs.sbcglobal.net [63.201.16.17]
5 7 ms 13 ms 12 ms 151.164.43.176
6 13 ms 12 ms 13 ms core1-p4-0.crscca.sbcglobal.net [151.164.40.57]

7 25 ms 25 ms 28 ms core1-p11-0.cranca.sbcglobal.net [151.164.242.82
]
8 26 ms 25 ms 25 ms bb1-p8-0.cranca.sbcglobal.net [151.164.40.94]
9 26 ms 28 ms 26 ms ex1-p15-0.eqlaca.sbcglobal.net [151.164.41.29]
10 26 ms 26 ms 26 ms ex2-p9-0.eqlaca.sbcglobal.net [151.164.40.162]
11 94 ms 94 ms 96 ms 65.19.103.193
12 95 ms 95 ms 94 ms r1-pos3-1.in.nycmny83.cv.net [65.19.97.133]
13 93 ms 94 ms 93 ms r1-srp13-0.wan.hcvlny.cv.net [65.19.96.49]
14 90 ms 90 ms 90 ms 65.19.111.202
15 93 ms 93 ms 93 ms dstswr1-ge3-16.rh.nyk2ny.cv.net [67.83.220.130]

16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

Here are my questions. is it possible that there is a virus or trojan on exchange server of some sort of spyware? I ask because emails are starting to go to specific user's emails. Along with their name in the email.

Any advice is greatly appreciated.

 

[Marcs41]

If the originating IP (24.158.51.87) is not yours, then this is just some kind of spam, spoof, or whatever else they come up with.
Also, if it is not your IP, then there is no virus at your place (at least not one causing this).

Advice, get a spamfilter if you have not got any (GFI) or the likes. Otherwise, live with it, we all do, sadly enough.

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[blubomber]

Thank you Marcs41 for the replies. I was guessing there was pretty much nothing i could do. I will look into getting a spam filter though. I also submitted an abuse email to the ISP the IP belonged to, not sure what they can do. My guess is that it is a hijacked machine on the outside somewhere.

Thanks again.

 

[Marcs41]

You're welcome

Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[ShackDaddy]

I bet they submit several hundred spams to possible user names at your domain and eventually got enough NDRs that they were able to tell which accounts were live (no NDR returned), and began sending mail with those addresses in the TO field. If all the suspicious mail is coming from that IP, couldn't you block it, either at the firewall or from within Exchange?

ShackDaddy

 

[Marcs41]

You could indeed block it, but it will not do much good. If you look at the header, there is a little indicator letting me assume it is dynamic:
ool-18b93357.DYN.optonline.net [24.185.51.87]

A real spammer or the likes would never use a fixed IP anyway.
If you keep checking headers and notice they always come from the same range, then you could ask the owner of that IP range to do something about it. That is, if they are not located in some country where they don't care about it.


Marc
_{If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all.
Free Tip: The F1 Key does NOT destroy your PC!}

 

[Zelandakh]

Use SPF to block it.

 

[Zelandakh]

Details at :

http://nickgillott.blogspot.com/2006/10/inbound-spam-from-your-own-domain.html