Q

Is one of our e-mail accounts getting spoofed?

I have a user on my network that, even after replacing his computer, keeps sending e-mail to a particular e-mail address and gets a bounce back. The problem is that the e-mail is sent at 2 a.m. or 3 a.m., when the user is home in bed. I have done the regular stuff: scan with Norton Antivirus (and MicroTrend House Call), done all the Microsoft updates, ran Spybot and Ad-Aware and cleaned up all the temporary files and cookies. Any idea how to fix this one?
Before you replace the machine again, take a look at the e-mail header. It is possible that this mail is not coming from the user/machine that is says? In other words, someone may be spoofing the e-mail address. You can identify a spoofed e-mail address by looking for the sender's info in the header for example: Received: from w072.z064001136.chi-il.dsl.cnc.net ([64.1.136.72]). If the IP address is not from one of your mail servers, it could be coming from another user.

If you identify that it is coming from one of your Exchange servers, then you can use a tool like Microsoft Network Monitor (Netmon), or a freeware tool like Ethereal, to capture the traffic being sent and received by this suspect machine. What is nice is that you actually know the time that this occurring, so you know when to monitor the traffic. This will help you identify if it is in fact the machine the mail is coming from, and...

if so, which application is generating this message. Netstat –o can be used to enumerate the processes that have active connections on the machine while the problem is being experienced. Once you have the Process ID (PID) you can use Task Manager to identify the most likely suspects and remove them from the machine. To view a PID, open Task Manager and click on the Processes tab. Open the View menu and select Select Columns. Choose PID Process Identifiers.

If this does nothing for you, you can try to identify the problem at the file system and registry level in real time with the Filemon and Regmon tools from Sysinternals.


Do you have comments on this Ask the Expert question and response? Let us know.
This was first published in February 2005

Dig deeper on Microsoft Exchange Server Performance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close