One user Sending out mass spam

By ryan1234bishop ·
Server 2003 running exchange 2003
the Client has XP running office 2007

I have one Client sending out about 10 spam messages an hour automatically. No one else that uses that server is having this issue.
I assumed he had some sort of virus on his PC so I formatted it but even after the format the spam is still sending out

I did multiple scans on the server with malware bytes, super anti spy ware, mcafee and the cleaner 2011 and found 0 infections on the server

has anyone had this experienced before with a spam sending virus only effecting one user? How Do I deal with this if multiple scanners are not picking up any infections?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Bunch of questions

by TobiF In reply to One user Sending out mass ...

Are these messages sent via via Exchange or smtp? Do you have any clues in the headers of the messages? Are the outgoing messages saved in the users "Sent" folder?

It could be a macro in an office document or template. It could be any application calling a MAPI handle. It could be a funny javascript on his favorite site...
(Does he have any web-pages constantly open in a browser or gadget?)

Do these mails have so much in common that you can trap them on the server, and maybe automatically alert the user. That could give him a clue to what kind of his activities would trigger the sending of a mail.

Collapse -

Anwsers to bunch of questions

by ryan1234bishop In reply to Bunch of questions

First off thanks for the reply :)

As of right now I don't have the messages in front of me but from what I saw is that the spam was sending out random messages to the clients domain to E-mail addresses that dont exist.
(example the clients email is and the spam is getting sent to and yet there are no mary or tom addresses on the exchange)

and as for the macro or funny java script I know its not client computer biased because I completely formatted the PC and when I did his first send/receive after outlook was reinstalled spam was coming in dated 2 days ago when his computer was in my shop getting serviced

and as for the mail having things in coming I am now getting him to FW me a few so I can take a closer look


Collapse -

Are you getting delivery failure notifications?

by Kenone In reply to Anwsers to bunch of quest ...

If that's the case it's not on your system at all. Someone is just spoofing the user as the senders address.

Collapse -

You stole my line :)

by TobiF In reply to Are you getting delivery ...

I was thinking about this, as well. That's why I asked how he has noticed the spam.

All right. Then I'm off to the gym. See ya!

Collapse -

Yes we are getting Failure Notifications

by ryan1234bishop In reply to Are you getting delivery ...

The client just sent me some of the spam here is an example of one

From: System Administrator
Sent: Friday, September 10, 2010 3:12 PM
To: James Reid
Subject: Undeliverable: Get your normal hormones level back to your body.
Your message did not reach some or all of the intended recipients.
Subject: Get your normal hormones level back to your body.
Sent: 9/10/2010 3:12 PM
The following recipient(s) cannot be reached: on 9/10/2010 3:12 PM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
< #5.1.1>

Note that the account does not exist on the server

Collapse -

Is it all contained within

by Darryl~ Moderator In reply to Yes we are getting Failur ...

Are you aware of any emails that have been sent to external addresses?

And just another thought on the "spoofing" there any chance that another computer in the domain is infected & has spoofed his email account?

If your network isn't very big (the website says you only have a staff of 6) than maybe it might be worth scanning all the computers for spyware/viruses.

PS - How's things over on the Rock? My son attends MUN over there, he enjoys NL.

Collapse -

we do have a sonicwall on site

by ryan1234bishop In reply to Is it all contained withi ...

I have a sonciwall onsite as their gateway with gateway AV on it

I am going to reset the logs and check it monday

Thanks for the help guys
I am off for the weekend!

Collapse -

Got some data from The sonicwall Log

by ryan1234bishop In reply to we do have a sonicwall on ...

I checked my security logs today on the fire wall and a IP Spoof keeps getting dropped

its coming from an IP that is not even in the DHCP list and its going through port 161

Collapse -

Much more interesting are...

by TobiF In reply to Yes we are getting Failur ...

Much more interesting are the hidden headers. (There you have at least some information that can't be spoofed.)

A typical email message will have spoofed sender address, may indicate a different recipient than the address actually sent to (and, most of all, you shouldn't believe the body text, of course.)

The hidden fields may have additional ip addresses added, to make it harder to guess, from where it really was sent, but at least you will see which ip-address handed the message to the last server. If this ip-address is in your network, then you know where to look for an infected computer. If the ip is outside your network, then you can relax a bit.

Collapse -

Yeah, and I noticed the

by Darryl~ Moderator In reply to Much more interesting are ...

website has an email form to contact them (email addresses are also listed on the site)....that can cause issues if not set up proper.

Related Discussions

Related Forums