locked
System account sending emails - Need help stopping it RRS feed

  • Question

  • Hi , 

    since few days ago, my script, I've created to track persons sending more than 100 messages per day started reporting senders that are outside of the organization. Specifically :

    MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@<mydomain.com>       8621 messages today only

    or

    no-reply@researchgatemail.net                                           153 messages today

    Mail relay is disabled. I've triple checked. I have Watchguard XTM-v infront of it . Monitoring mail flow in and out. I thought these are just NDRs (in the first case) but considering that, whenever I get this report my reputation on senderscore.org starts falling down and reporting high volume, I'm guessing someone is exploiting something and sending emails out. 

    Anyway I can change password for this account , or do something ? Any ideas. I'm out . 

    Ty

    EDIT: I've updated to the latest CU8 . Nothing is happening. Didn't help. 
    Friday, January 5, 2018 4:47 PM

All replies

  • The first one is used for system messages, DNSs, etc, as detailed here: https://technet.microsoft.com/en-us/library/bb430759(v=exchg.141).aspx

    You can safely ignore those. For the second, run some message traces to get more information, you might have some infected machine or something.

    • Proposed as answer by Jason.Chao Monday, January 8, 2018 9:13 AM
    Friday, January 5, 2018 8:08 PM
  • Hi,

    Agree with Vasil, in addition, we can get the source IP, source server in the message tracing log to verify that who has send the messages out your ORG.

    Hope it helps.

    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Jason.Chao Wednesday, January 10, 2018 9:37 AM
    Monday, January 8, 2018 6:20 AM