[ExchangeList] Re: How to find a PC that is sending rogue emails?

  • From: <paul_lemonidis@xxxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Fri, 29 Jan 2010 15:46:27 -0000

Hi Todd

Depending on what firewall you have, can  you allow only the Exchange server 
outbound SMTP access and then check the logs to see what IP address is sending 
the messages in the firewall logs? It may not be the Exchange server Also it 
might be worth doing message tracking on one of the messages to ensure it did 
or didn't go from the Exchange server. If a machine has a virus it may not be 
going from the Exchange server. It may be doing the SMTP itself. Whilst you 
cannot relay from outside you may be able to internally too. You should check 
that too. A virus infected PC could submit messages if could relay or as 
mentioned previously it could send directly if can go out directly on port 25. 

Regards,

Paul Lemonidis.


From: Todd Lemmiksoo 
Sent: Friday, January 29, 2010 3:22 PM
To: exchangelist@xxxxxxxxxxxxx 
Subject: [ExchangeList] How to find a PC that is sending rogue emails?


I have a situation where emails from memberservice@xxxxxxxxxxxx are being 
routed through my exchange 2003 server. I have scanned every PC in the company 
and all but a few remote users without finding it. I taken to stopping the 
outbound message queue at night and deleting the messages in the morning. Is 
there something I can do on the exchange server to stop the emails from being 
accepted by Exchange? 
I have tested my server from the internet and it does not relay. My server is 
mail.all-mode.com 24.97.109.58
Help!

Todd Lemmiksoo 
Network Administrator 
All-Mode Communications
1725 Dryden Road
Freeville, NY 13068
 1-877-all-mode

Other related posts: