Exchange 2k3 Tracking

We have an employee that got a NDR for an email that the employee says she never sent.

In the Exchange tracking it shows that the message was sent with her account but it doesn't show up in her mailbox. No one has permissions to send on her behalf.

I need to find out if the email is getting sent from another system (something using exchange to relay off of). Is there anyway to track an email in Exchange 2003 to show what the origination IP address is? I've used the exchange message tracking and even cracked open the raw logs to no avail.

This one got kicked back and that's how she noticed it. My concern is if any others are getting sent out without us knowing....

Of course a virus is of concern but if I can narrow down what system sent the email to exchange at least I'll know if it's coming from her machine or another server or something like a copier. At least then I'll know where to start looking.

 

Change passwords on all accounts and scan for a virus to begin with. Second set your firewall to only allow emails to originate from the Exchange server IP address and no other IP addresses. If it was her account that sent it and it did originate from your server it would tell you in the email header. Someone is probably just spoofing her email address and she is getting the NDR, happens all the time.

 

This isn't a spoofed message. This is a legit message. I know that it sent out of my exchange server. I can see that. I don't really care about the NDR but that's just how this was found.

The real issue is that this email was sent through my exchange but it wasn't sent through her mailbox. I need to find out if I can see what IP address sent it to the exchange server so I know where (internally) this email came from.

 

You sure the server is not an open relay?