Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unauthorized Emails

Status
Not open for further replies.
LRSmith

LRSmith

Programmer
Dec 4, 2002
207
US
I'll be up front - this may be a bit vague. But if you ask for specific information, I can try and get it to you. (No one in this office is IT).

We have a problem with with appears to be unauthorized emails being sent from one of our email accounts. The only reason I suspect this is the weekly servage usage reports (Windows Server 2003) that shows a particular person sending out 10x the amount of external email compared to everyone else.

But if I check exchange logs, I can't find a paper trail to verify all these emails, only the emails this particular person knows he sent.

Am I chasing a ghost here? Any advice would be appreciated. Again, a bit vague, but I'd be happy to provide more information if asked. Just not sure what is pertinent to provide at this point.
 
Sort by date Sort by votes
lrsmith,

Have you checked the users workstation for any viruses? Sounds like this could be the case.

Do you have a firewall installed? Usually the firewall will give you a much better report on port usage (SMTP, etc).

I would make sur ethe workstation is clean before you continue with your troubleshooting.
 
Upvote 0 Downvote
Scan that machine for viruses and spyware. Also, the activity you may be seeing could be NDR reports.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
We continue to seem having problems with unauthorized emails. In addition to the problem I reported a couple of months ago, now another employee is getting email notifications of failed deliveries he never sent. A copy of the notification he receives is below. Each PC is scanned nightly by Symantec corporate server, and each PC has its own spyware program installed.

I did check the exchange server logs for the email below, and there is an entry that this email was sent from the employee's email address.

I would appreciate any suggestions you might have.


=====================================================
From: System Administrator
Sent: Friday, January 20, 2006 1:08 PM
To: ikvstrb@jefferson-bank.com
Subject: Undeliverable: Not read: hello

Your message did not reach some or all of the intended recipients.

Subject: Not read: hello
Sent: 1/20/2006 11:42 AM

The following recipient(s) could not be reached:

ikvstrb@jefferson-bank.com on 1/20/2006 12:56 PM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
< eSafe@centralbank.net #5.0.0 smtp;550 5.1.1 User unknown>
 
Upvote 0 Downvote
Thought perhaps posting the exchange log of the email transmission might help too. I replaced the real email address as EMPLOYEE@COMPANY.COM to protect the innocent.

198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:02, SMTPSVC1, FATBOY, -, 47, 0, 130, 0, 0, -, -, 220 p101m061.symantecmail.net ESMTP mxl_mta-2.9.0-24p5 [2632534960.270716]; Fri, 20 Jan 2006 09:39:29 -0700 (MST); NO UCE, INBOUND,
198.65.127.148, OutboundConnectionCommand, 1/20/2006, 11:43:02, SMTPSVC1, FATBOY, -, 47, 0, 4, 0, 0, EHLO, -, COMPANY.COM,
198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:02, SMTPSVC1, FATBOY, -, 94, 0, 29, 0, 0, -, -, 250-p101m061.symantecmail.net,
198.65.127.148, OutboundConnectionCommand, 1/20/2006, 11:43:02, SMTPSVC1, FATBOY, -, 94, 0, 4, 0, 0, MAIL, -, FROM:<EMPLOYEE@COMPANY.COM>,
198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:02, SMTPSVC1, FATBOY, -, 141, 0, 13, 0, 0, -, -, 250 Sender Ok,
198.65.127.148, OutboundConnectionCommand, 1/20/2006, 11:43:02, SMTPSVC1, FATBOY, -, 141, 0, 4, 0, 0, RCPT, -, TO:<ikvstrb@jefferson-bank.com>,
198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:26, SMTPSVC1, FATBOY, -, 24641, 0, 42, 0, 0, -, -, 250 ikvstrb@jefferson-bank.com ok (normal),
198.65.127.148, OutboundConnectionCommand, 1/20/2006, 11:43:26, SMTPSVC1, FATBOY, -, 24641, 0, 4, 0, 0, DATA, -, -,
198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:26, SMTPSVC1, FATBOY, -, 24688, 0, 44, 0, 0, -, -, 354 Start mail input; end with <CRLF>.<CRLF>,
198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:28, SMTPSVC1, FATBOY, -, 25688, 0, 57, 0, 0, -, -, 250 2.0.0 Y0KG1VN6300004458 Message accepted for delivery,
198.65.127.148, OutboundConnectionCommand, 1/20/2006, 11:43:28, SMTPSVC1, FATBOY, -, 25703, 0, 4, 0, 0, QUIT, -, -,
198.65.127.148, OutboundConnectionResponse, 1/20/2006, 11:43:28, SMTPSVC1, FATBOY, -, 25766, 0, 66, 0, 0, -, -, 221 p101m061.symantecmail.net Service closing transmission channel,
 
Upvote 0 Downvote
That sounds like spoofing. Someone who has that user's email address in their contacts is infected with some virus, and their machine is sending out email as if it's coming from your user.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

IcarusHallsorts
  • Locked
  • Question
VBA to create output file of headers of selected emails
Replies
0
Views
3K
IcarusHallsorts
IcarusHallsorts
m245
  • Locked
  • Question
Adding a disclaimer for all outgoing emails in Exchange 2013 Standard Edition
Replies
0
Views
2K
m245
m245
M
  • Locked
  • Question
[SOLVED] Unable to send TLS emails via Exchange, but can receive
Replies
1
Views
283
member 1677784
M
intel233
  • Locked
  • Question
Fowarded Emails
Replies
1
Views
212
intel233
intel233
techseek
  • Locked
  • Question
AOL not accepting emails from our domain
Replies
3
Views
203
Zelandakh
Zelandakh

Part and Inventory Search

Sponsor

Back
Top