Examining Exchange Logs (2003) I find sender addresses which are not from our domain.
Some are from
<username>@gmail.com
But some are from places like
notifications+vvv4pysz53iuhw (at) zyngamail.com
update+zj4oc9to=j96 (at) facebookmail.com
cialis-soft.order133 (at) sampson-multimedia.com
viagra-pro.online (at) musicaedischi.it
Why is that?
How is that?
They’re not logs of messages sent TO your users?
About 1/3 of recipient addresses from these senders are in my domain.
The other 2/3 of the recipients are predominantly gmail, yahoo, and hotmail, with a sprinkling of various other domains in there.
Which is what is puzzling to me. If the e-mail is from outside my domain and headed outside my domain, why is it on my domain?
Do any of your users have forwarding set up?
Is your mail server an open relay?
Slee
There’re about a dozen accounts of former employees set to forward to current employees.
nope
Maybe you’re looking at From fields, or other fields in the message header? Those can be anything, and have no relation to message origin or delivery. (Only the addresses in the message envelope are used for delivery.)
You could have bogus From fields in incoming spam, or in outgoing email due to spam being forwarded by your users.
I am looking at logs from an Exchange 2003 server.
Here are the titles of the columns in the log
# Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address
I am referring to the content of “Sender-Address” column and the “Recipient-Address” column.
Hope that helps.
yep
I don’t know Exchange, but the fact that it shows both Sender-Address and Recipient-Address suggests to me that it’s merely showing some message header fields, which are easy for a spammer to fake. (The only reliable address, the delivery address in the envelope, has no corresponding reliable sender address.)
This page says the sender address logged is merely the Sender or From field from the message header, regularly spoofed by spammers. But it’s too vague about the recipient address to tell what it really means. So you don’t need to worry about whatever junk appears in the Sender-Address field, at any rate.
I checked via PoSH’s Get-ReceiveConnector
I tested manually via this method:
http://www.spamsoap.com/smtp-open-relay-test/
I used these online testers:
http://www.mailradar.com/openrelay/
Before I replied.
If you know another, better way to check for an open relay, please share.
Are the client IPs your computers?
Yes, they are all from a handful of local servers.
The servers are clients to Exchange? What is generating the mail?
Machines further down the line. They’re cas iirc
I won’t be back at work to check other logs for days.