Registered users    
MembershipMembership:
Latest New UserLatest:chris reilly
New TodayNew Today:9
New YesterdayNew Yesterday:10
User CountOverall:23336
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12899
Marina Roos12523
Eriq Neale2114
Michael Patrick1913
Stan Guinn1913
Robert Pearman1771
Nick Pieters1425
Stewart Brown617
william warren601
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > Exchange Server 2003
Subject: Finding the originating source of an email
Prev Next
You are not authorized to post a reply.

Author Messages
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
4/26/2008 10:25 AM  
Hi!

I have noticed in our 2003 Exchange (Sp2) queues that there are messages building up appearing to be from an 'info@domain.co.uk' address within our organisation. This address was published on our internet site (I know, I know, this isnt a good idea. It has since been removed). However, the address itself was only ever setup as a secondary email on another user account. This also has now been removed. So the address DOESNT exist in our organisation, i know this because when i try and email it it returns an NDR as you would expect.

My question is how do I find the source to resolve the problem? I can of course see the emails in the queues and see the routing with Message Tracking but I either can't or don't know how to extract the message itself from there to see the internet headers.

I have also checked that we ARENT relaying mail.

Any suggestions are welcome because this is cracking me up!!!

Adam
Mick Malloy User is Offline
Australia
Member since
4/6/2007

Microsoft MVP
Posts: 309
4/28/2008 01:35 AM  
By turning on SMTP logging you will be able to see what is being sent. Mind, after investigation you either need to turn off SMTP logging or schedule a tidy up as part of your maintenance, the logs can accumulate.
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
4/28/2008 10:16 AM  
Hi Mick,

Below is the result of the smtp logging. Does this suggest there is something on the server itself generating these mails? I have run a number of Anti-Virus apps, none of which find anything?
_____________________________________________________________________________________________
# Message Tracking Log File
# Exchange System Attendant Version 6.5.7638.1
# Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address

28/04/2008 0:18:35 GMT 127.0.0.1 domain.co.uk - SERVERNAME 127.0.0.1 random@address.com 1019 SERVERNAME70EkeCnKKErF00000608@mail.domain.co.uk 3 0 2406 1 - 0 Version: 6.0.3790.3959 - - info@domain.co.uk

28/04/2008 0:18:35 GMT 127.0.0.1 domain.co.uk - SERVERNAME 127.0.0.1 random@address.com 1025 SERVERNAME70EkeCnKKErF00000608@mail.domain.co.uk 3 0 2406 1 - 0 Version: 6.0.3790.3959 - - info@domain.co.uk

28/04/2008 0:18:35 GMT 127.0.0.1 domain.co.uk - SERVERNAME 127.0.0.1 random@address.com 1024 SERVERNAME70EkeCnKKErF00000608@mail.domain.co.uk 3 0 2406 1 - 0 Version: 6.0.3790.3959 - - info@domain.co.uk
_____________________________________________________________________________________________

Any help is appreciated!

Adam
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
4/29/2008 07:45 PM  
No one any thoughts/suggestions?

Adam
Mariette Knap User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12899
4/30/2008 05:18 PM  
It seems that somebody is spamming your info address. Not much to worry about as that happens to many of us.
Mariëtte Knap Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
4/30/2008 09:28 PM  
Mariette,
 
Thanks for the reply. I also understand about people spoofing the address, however I believe these emails are being generated locally. If I take the server (single nic configuration w/o ISA) off the network by disconnecting the cable but leave Exchange running these mails are still building in the queues. The weird thing is, if it was some kind of malicious program I would expect it to be generating hundreds/ thousands per day when in fact its only generating maybe 20!
 
Also, as I mentioned I have removed the address entirely! The info@ address DOES NOT EXIST in Exchange any longer, so why is Exchange even trying to queue the mail for delivery???? Does Exchange cache old addresses somewhere or something???
 
If it takes me to put up a new Exchange and move the mailboxes etc to get rid of the problem I will do that, however its a a lot of work to find its not the solution.
 
Any thoughts appreciated!!
 
Adam
Mariette Knap User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12899
5/01/2008 10:33 AM  
They could be NDR's if that info address is no longer available. You can turn that off to see if that clears it.
Mariëtte Knap Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
5/01/2008 12:42 PM  
Mariette,

Thanks again for your comments.

I am no Exchange expert, however I would have thought that if it was an NDR as the account doesnt actually exist in Exchange, Exchange would not queue an NDR?

I have turned it off and will see what the result is.

Thanks again

Adam
Mariette Knap User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12899
5/01/2008 03:55 PM  
Sure, it will do that. That is the idea about Non Delivery Reports. If the server does not know what to do with an email the sender needs to be informed about that.
Mariëtte Knap Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
5/01/2008 05:08 PM  
I had NDR's disabled for four hours and the queues were still populating. These are emails being generated at the server. Wether inside Exchange or on the box I am not sure. I know this simply because I have had the server disconnected from the network with Exchange running and they still generate.

I am running out of ideas here!!!

Adam
Mariette Knap User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12899
5/01/2008 05:14 PM  
Adam,
 
I suggest you ask for support here http://www.smallbizserver.net/Home/Support.aspx. Mick, Eriq or Marina will have a look at this issue then. Remember that this is paid support and if you use the form at http://www.smallbizserver.net/Home/Support.aspx we will mail you a doc with all details.
Mariëtte Knap Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
Adam Graham User is Offline
United Kingdom
Member since
12/5/2006

Registered Users
Posts: 29
5/01/2008 10:43 PM  
Mariette,
 
Thanks for the offer. I may well have the need to take you up on it sometime, however in this instance I think I'll fire up a new Exchange, move the mailboxes etc and retire the existing one. If then the problem follows I'll most likely swing the domain over to a temp 2003 server and rebuild the original SBS box.
 
Its a lot of work, but I can't think of what else to do. I have worked at this for weeks and its starting to drive me nuts!
 
Adam
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > Exchange Server 2003 > Finding the originating source of an email


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.468753 seconds.   :   Terms Of Use   :   Privacy Statement