Exchange Message Tracking

Today, a customer had a strange problem. An end-user had send a message to 69 recipients with a small attachment (not important in this case). After a couple of minutes the user reported that she and a colleague received dozens of messages all send by the original sender.

She had the message only once in her send items. I checked the recipients in the message and I didn’t find any faults made by the user. The next step was checking Exchange Message Tracking. This reported that the actually has send the email. There was only one strange thing. The original message showed her Display Name and all the other messages showed her email address.

While we were searching for a solution the end user was called by multiple recipients complaining that they received the email 100+ times. So we decided to disable all outbound email. Because we are using SurfControl Email filter as a gateway I created a rule on this server for isolating all messages from that particular email address.

After I disabled all outbound email the flood of messages wouldn’t stop. The queue on the Exchange server didn’t contain any messages from the end user. The gateway’s queue also didn’t contained any messages. So I analyzed the headers of the isolated messages. The headers didn’t contain information about our servers sending the email. The server was only listed as the receiving end server. I asked a friend to take a look at the headers (thanks Jasper) because after a while I was losing all logic due to watching too long. Together we found the source of all evil: the server of one of the recipients. Called the organization and they disabled all outbound email until they will found a proper solution. After a while the flooding stopped.

The thing confused me the most was Exchange Message Tracking, because all the messages appeared in this logs just like the user has send the messages. The reason is pretty simple: if a message arrives at the server Exchange Message Tracking tracks this message in the database. If the email address of the sender is similar of to an email address from of an user, Exchange will record this message as a message send by the user ALSO in the situation that the email address is spoofed.
There’s only one simple solution. Messages send from within the network use the Display Name of the user. In my particular situation the email address was listed. So take a good look in this type of situations.

In my opinion this type of messages shouldn’t be listed in the Message Tracking Log only in a situation that the message is send by a server in his Exchange organization. Just a thing to keep in mind!