locked
Emails being sent from Exchange not coming from senders RRS feed

  • Question

  • My Exchange server (SBS 2003) has emails in outgoing SMTP queue from legitimate users. However these messages were not sent by the users. They are not listed in their sent items and I have confirmed with most of them that they did not send these messages.

    There are a number of 7002 and 7004 events in the error log where the recipients do not exist of the message cannot be delivered.

    I have changed the password of some of the users but this has made no difference

    There are a couple of questions:

    1. How do I find what is generating these messages.

    2. How do I track where they are coming from (I assume from an infected PC since the server has been scanned with 3 different AV/Malware tools)

    3.  The messages are not listed in the vsl1\queues folder. But can I find and open the messages in Exchange to view the contents.

    Thanks in Advance.

    Sunday, July 1, 2012 11:19 AM

Answers

  • hi,

    >>>There are a number of 7002 and 7004 events in the error log where the recipients do not exist of the message cannot be delivered.

    First please post the whole error information here.

    >>>I have changed the password of some of the users but this has made no difference

    I guess they are using telnet to send message, so your action is not vaild.

    Answer your question:

    >>>1. How do I find what is generating these messages.

    >>>2. How do I track where they are coming from (I assume from an infected PC since the server has been scanned with 3 different AV/Malware tools)

    If they use smtp to send message, all action will record in smtp log. So you can try to use smtp log to trace the client.

    About smtp log:http://www.msexchange.org/tutorials/Logging_the_SMTP_Service.html

    hope can help you

    thanks,


    CastinLu

    TechNet Community Support

    • Marked as answer by Castinlu Friday, July 6, 2012 5:10 AM
    Monday, July 2, 2012 7:29 AM