Hi Friends,

My exchange server is relaying spam mails, i can confirm that the server is not open relay and i am suspecting that some mailbox password is compromised and currently in bad hands. Is there any way we can track which mailbox/boxes are using for the spamming purpose,so that i can change the password and stop the issue.

Please help.

Hello

run Get-MessageTrackingLog -Start 2015.04.30 and if have messagesubject wich is spam you can try get client ip with Get-MessageTrackingLog -Start 2015.04.30 -messagesubject "spamspam" OriginalClientIp

or run Log Parser Studio and select  Top 10 Senders /add messagetracking log file/

HI Sneff,

Thank you for your answer, i can find the from address,but it is a different domain. I am suspecting that the spammer is using a mailbox (with password) to send mails enveloped using this (unknown) mail id. I want to find the original mail id ( the mailbox which password got compromised)

Any way?

• Edited by Exchangetvm 4 hours 7 minutes ago

HI Sneff,

Thank you for your answer, i can find the from address,but it is a different domain. I am suspecting that the spammer is using a mailbox (with password) to send mails enveloped using this (unknown) mail id. I want to find the original mail id ( the mailbox which password got compromised)

Any way?

• Edited by Exchangetvm Friday, May 01, 2015 3:18 AM

HI Sneff,

Thank you for your answer, i can find the from address,but it is a different domain. I am suspecting that the spammer is using a mailbox (with password) to send mails enveloped using this (unknown) mail id. I want to find the original mail id ( the mailbox which password got compromised)

Any way?

• Edited by Exchangetvm Friday, May 01, 2015 3:18 AM

If Get-MessageTrackingLog is not enough to resolve your concern, you may look into this automated solution (http://www.exchangereports.net/) that seems to be a suitable approach to deal in such critical circumstance.

It helps to get in-depth email flow details related to user sent emails, received emails and communication between users for selected server.

Is there anyway we can track this from the logging from Exchange server, i mean which mailbox in our organization is behind this authenticated sending, I have enabled verbose logging in connectors.

Hi ,

1.Please analyze the message headers of the suspected mail with mxtoolbox from there we came to know that the mail originated  ip address is blacklisted anywhere in the world .If it been blacklisted then you need to block the mail originated ip address and domain suffix on your gateway product.

2.Then the next step would be to check your gateway product is subscribed with anyone of the Real time blacklist product.

3.Then make sure your gateway product is doing reverse dns lookup for all the incoming SMTP connections from external world.

4.Then make sure you are having an SPF record for your domain to avoid spoofing of your own domain suffix.

Hi,
According to your post, I notice that some app or virus disguise users send spam message.
Please ensure uncheck the Anonymous users in each connector, then do the steps as S.Nithyanandham provided and return results.

Thanks

Hi Friends,

Please have a look : https://social.technet.microsoft.com/Forums/office/en-US/8b75d812-abdf-4394-a0f2-b47e234b3e6b/exchange-2013-spam?forum=exchangesvrgeneral&prof=required

I want the answer for this.