It looks like you've got something on the inside trying to sending spam or other junk out. I thought perhaps you had an open relay and someone was sending email through but I check and you're server looks like it's closed. I'm not certain offhand if it's a virus, Trojan, or something else. Others may have some thoughts... Regards, Mike Liddekee Network Engineer Humco Holding Group, Inc. 7400 Alumax Dr. Texarkana, TX 75501 Ph: (903) 831-7808 ext 697 -----Original Message----- From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] Sent: Thursday, September 04, 2003 10:37 AM To: [ExchangeList] Subject: [exchangelist] RE: Many NDR's not showing as coming from/to domain http://www.MSExchange.org/ John, here is the body of: Your message did not reach some or all of the intended recipients. Subject: SEX Sent: 9/3/2003 6:01 PM The following recipient(s) could not be reached: alwbre@xxxxxxxxxxxx on 9/4/2003 10:56 AM There was a SMTP communication problem with the recipient's email server. Please contact your system administrator. <server.domain #5.5.0 smtp;550 <alwbre@xxxxxxxxxxxx>: User unknown> Each email appears to be from a different sender that is not a part of our domain... ie Qigometh [sasdlfksjfd@xxxxxxx] Let me know if more information is needed! Thanks Ken -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Thursday, September 04, 2003 11:30 AM To: [ExchangeList] Subject: [exchangelist] RE: Many NDR's not showing as coming from/to domain http://www.MSExchange.org/ Please post what the NDR is saying. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] > Sent: Thursday, September 04, 2003 5:48 AM > To: [ExchangeList] > Subject: [exchangelist] Many NDR's not showing as coming from/to domain > > http://www.MSExchange.org/ > > Hi Guys, > > This morning I walked into check my NDR's and found many (about 100 or so > since 1am today) reports being sent to me, When I take a look at my logs, I > am finding many event ID 1208 & 1209 messages about the IS maintenance. All > of the messages "appear" to be originating from a different domain than ours. > > > The server is W2K sp4 latest patches as of Tuesday morning, with E2K SP3. > > Any suggestions on what else I should be looking for, why I am receiving > these and has my server been compromised? Any suggestions/help is greatly > appreciated! > > HELP!! > > Thanks > Ken > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist > Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp > Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 ISA Server Resource Site: http://www.isaserver.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this MSExchange.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to leave-exchangelist- > 1440469J@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: kmorris@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: mliddekee@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')