You Suspect that a virus/spam message/mass Mailer Originated From Inside Your Organization
search cancel

You Suspect that a virus/spam message/mass Mailer Originated From Inside Your Organization


Article ID: 177143


Updated On:


Mail Security for Microsoft Exchange


You receive alerts that a virus or a spam message or mass mailer originated from an IP address that is under your control. You need to know what to do about the problem.  Your organization may be on a blacklist.


Take the following actions to determine whether the problem originated from your organization:

  • Verify that the computer from which the offended email originated is free of viruses.
  • Verify that the original message did come from an IP address that is under you control.
    For tips to make this determination, see the References section of this page.
  • Make sure that your Exchange server does not function as an open relay.
  • Determine whether your firewall administrator has any logs that include the unauthorized outbound connection on port 25.
  • Restrict outbound SMTP traffic such that only certain machines are allowed to send email out of your environment. The best location to make this restriction would be at a perimeter firewall or switch that all outbound port 25 traffic would pass through. Configure its settings so that only your mail server, SMTP gateway, or mission critical servers that need to SMTP data outbound may do so.


For instructions on how to determine the origin of an email message, see the following Frequently Asked Questions (FAQ) page:

To determine whether your Exchange server is an open relay, read the following Microsoft articles:

Your Windows Help files also contain information to help you enable SMTP logs so that you can track SMTP commands that your SMTP virtual server receives. You can enable these logs to help identify the sources of the messages.