Who is sending emails out of my Exchange?

Copper Contributor

Dears, I need your help, in my Send connector I see that something/somebody is sending emails from one of my emails jan.luxemburk@luxemburk.cz to another email - this action is not from Jan.

 

Here are data from send connector log:

2022-05-03T10:11:50.552Z,Internet Connector,08DA155E12177511,0,,78.24.15.102:25,*,SendRoutingHeaders,Set Session Permissions
2022-05-03T10:11:50.552Z,Internet Connector,08DA155E12177511,1,,78.24.15.102:25,*,,attempting to connect
2022-05-03T10:11:50.552Z,Internet Connector,08DA155E12177511,2,192.168.0.16:9601,78.24.15.102:25,+,,
2022-05-03T10:11:50.552Z,Internet Connector,08DA155E12177511,3,192.168.0.16:9601,78.24.15.102:25,<,220 shoptet-mx1.vshosting.cz ESMTP,
2022-05-03T10:11:50.552Z,Internet Connector,08DA155E12177511,4,192.168.0.16:9601,78.24.15.102:25,>,EHLO smtp.buzalka.cz,
2022-05-03T10:11:50.568Z,Internet Connector,08DA155E12177511,5,192.168.0.16:9601,78.24.15.102:25,<,250 shoptet-mx1.vshosting.cz PIPELINING SIZE 102400000 VRFY ETRN STARTTLS ENHANCEDSTATUSCODES 8BITMIME DSN CHUNKING,
2022-05-03T10:11:50.568Z,Internet Connector,08DA155E12177511,6,192.168.0.16:9601,78.24.15.102:25,>,STARTTLS,
2022-05-03T10:11:50.568Z,Internet Connector,08DA155E12177511,7,192.168.0.16:9601,78.24.15.102:25,<,220 2.0.0 Ready to start TLS,
2022-05-03T10:11:50.568Z,Internet Connector,08DA155E12177511,8,192.168.0.16:9601,78.24.15.102:25,*," CN=smtp.buzalka.cz CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB 00B4F1AED42FE011B38EE0C809143753A0 8AB6ADEB1FF87A7F55BC5875635156E3D738E301 2021-10-24T02:00:00.000Z 2022-11-07T00:59:59.000Z smtp.buzalka.cz;autodiscover.buzalka.cz;www.buzalka.cz",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2022-05-03T10:11:50.599Z,Internet Connector,08DA155E12177511,9,192.168.0.16:9601,78.24.15.102:25,*," CN=*.myshoptet.com CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US 0F9B109B1AF5401D435D5678509690FF 40120E484CFBE297BEC11EC6A486EFCD124DF5A6 2021-09-26T02:00:00.000Z 2022-09-27T01:59:59.000Z *.myshoptet.com;myshoptet.com",Remote certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2022-05-03T10:11:50.599Z,Internet Connector,08DA155E12177511,10,192.168.0.16:9601,78.24.15.102:25,*,,"TLS protocol SP_PROT_TLS1_2_CLIENT negotiation succeeded using bulk encryption algorithm CALG_AES_128 with strength 128 bits, MAC hash algorithm CALG_SHA_256 with strength 256 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 256 bits"
2022-05-03T10:11:50.599Z,Internet Connector,08DA155E12177511,11,192.168.0.16:9601,78.24.15.102:25,*,40120E484CFBE297BEC11EC6A486EFCD124DF5A6,Received certificate Thumbprint
2022-05-03T10:11:50.599Z,Internet Connector,08DA155E12177511,12,192.168.0.16:9601,78.24.15.102:25,>,EHLO smtp.buzalka.cz,
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,13,192.168.0.16:9601,78.24.15.102:25,<,250 shoptet-mx1.vshosting.cz PIPELINING SIZE 102400000 VRFY ETRN ENHANCEDSTATUSCODES 8BITMIME DSN CHUNKING,
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,14,192.168.0.16:9601,78.24.15.102:25,*,,sending message with RecordId 95331094102100 and InternetMessageId <eb21960a011a4c359fa1a30a1cfa03fa@luxemburk.cz>
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,15,192.168.0.16:9601,78.24.15.102:25,>,MAIL FROM:<jan.luxemburk@luxemburk.cz> SIZE=4114 BODY=7BIT,
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,16,192.168.0.16:9601,78.24.15.102:25,>,RCPT TO:<pavla.horakova@nejlevnejsi-obklady.cz>,
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,17,192.168.0.16:9601,78.24.15.102:25,<,250 2.1.0 Ok,
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,18,192.168.0.16:9601,78.24.15.102:25,<,454 4.7.1 <pavla.horakova@nejlevnejsi-obklady.cz>: Relay access denied,
2022-05-03T10:11:50.615Z,Internet Connector,08DA155E12177511,19,192.168.0.16:9601,78.24.15.102:25,>,QUIT,
2022-05-03T10:11:50.631Z,Internet Connector,08DA155E12177511,20,192.168.0.16:9601,78.24.15.102:25,<,221 2.0.0 Bye,
2022-05-03T10:11:50.631Z,Internet Connector,08DA155E12177511,21,192.168.0.16:9601,78.24.15.102:25,-,,Local

 

Can you advice how I can detect which login, computer, device is doing this? What should be my steps for investigation?

 

Many thanks

 

Vladimir

1 Reply

Hello@vladob,


It's Ahmed, and I hope you could solve your issue, as it's from a long time!
This reference is for future visitors of this issue!

it appears that someone or something is using your email address to send emails through your Exchange server. We recommend taking the following steps to determine the cause of the issue and prevent it from happening again:

  • Check the IP address of the sender: You can try doing a reverse DNS lookup on the IP address of the sender (78.24.15.102) to see if it belongs to a known server or service. You can also try doing a who is lookup to see if the IP address is associated with a specific organization or provider.

  • Check for unauthorized access to your Exchange server: Check the logs on your Exchange server to see if there are any suspicious logins or activity and check the security settings to ensure that your server is properly configured and protected.

  • Check for compromised email accounts: Check the logs on your Exchange server to see if there are any suspicious logins or activity associated with specific email accounts, and check with the account owners to see if they are aware of any unusual activity.

  • Check for malware or other malicious software: Run a malware scan on your Exchange server and any email accounts that may be affected, and check for any suspicious or unfamiliar files or programs.

  • Check for configuration issues: Review the configuration of your Exchange server and email accounts to ensure that everything is set up correctly and check for any issues that may be causing the problem.

To prevent similar issues from occurring in the future, we recommend implementing strong passwords, keeping your system and software up to date with the latest security patches, and using antivirus software to protect against malware and other threats.

Thanks :)
Ahmed:D