How to determine sender of outbound message
Brian
outbound messages stack up in the outbound queue of the
Internet Mail Service (the IMS stopped running and the
messages built up). The messages are destined for an
unknown host. It almost appears as if someone inside is
sending SPAM. The originator field is empty <>. I can
see the MTS-ID and the Message-ID.
We do not relay SMTP mail (I blocked it) so it's not
coming from the outside. We are up-to-date with AV
software including NAV for Exchange, so I don't think it's
a virus. Maybe this has been happening for some time and
I've only noticed it because I had to check the IMS
outbound queue and they had piled up.
In any case, how can I find out who/where this group of
emails originated from?
Thanks,
Brian
John McCabe
wrote:
>We are running Exchange 5.5 and have a large number of
>outbound messages stack up in the outbound queue of the
>Internet Mail Service (the IMS stopped running and the
>messages built up). The messages are destined for an
>unknown host. It almost appears as if someone inside is
>sending SPAM. The originator field is empty <>. I can
>see the MTS-ID and the Message-ID.
If anyone can tell me how to search for "<>" on Google groups I'd
appreciate it :-) (because then I could advise Brian to look there!
A message with <> in the outbound queue is a system generated message.
In a lot of cases it will be a non-deilvery report being returned to
the spammer. As the spammers will probably not be using a valid email
address, it will sit in the outbound queue until it expires then will
be deleted.
Kirill S. Palagin
http://www.swinc.com/resource/exch_faq.htm
Brian wrote:
--
Corrections are welcome.
Please keep all discussions in NG, so that everybody can participate.
Kirill
Brian
different for each message, and as many
for "xx...@gamers.com", and the addresses are mostly not
the kind I would expect a user to have. Like
X3df...@gamers.com. This makes me think that WE are the
spammer, and these are not non-delivery reports being sent
to a spammer.
How can I find out about these existing ones, and how can
I look for (and capture) new activity of the same sort?
>.
>
Matt
company. Although you have blocked relaying, there is
still a small amount of spam that can get through. These
messages are most likely not even being sent, but just
sitting in your outbound.
>
John McCabe
wrote:
>We have 72 messages for "xx...@office.com", where xxxx is
>different for each message, and as many
>for "xx...@gamers.com", and the addresses are mostly not
>the kind I would expect a user to have. Like
>X3df...@gamers.com. This makes me think that WE are the
>spammer, and these are not non-delivery reports being sent
>to a spammer.
>How can I find out about these existing ones, and how can
>I look for (and capture) new activity of the same sort?
How is your system set up to handle NDR's? Does it send a copy of a
non-delivery report to you personally? If not it more than likely
sends one to an administrator. If you log into the account assigned to
receive copies of NDR's you should have a big list of them (probably).
You can look there to get more information.
As I mentioned though (and I believe the faq someone else mentioned
will tell you), messages from <> are system generated messages, in
most cases NDR's and they will sit in the outbound queue until they
expire after which you (or the adminisatrator mailbox) will be
notified of an outgoing message failure.