I have a very bizarre set of circumstances. One of my staff received an e-mail addressed to me from a consultant, however this consultant would have no idea who this staff is or their e-mail address. I also received the e-mail, however it's quite concerning to me that something like this might happen.
Points worth noting
- The anti-spam logs do NOT show my colleague getting the mail, but show me getting the mail.
- The Exchange Tracking Logs show both of us getting it (they are bizarre though - more on that below)
- This is a lone exchange server that serves CAS, HT and MB roles
- Server is up-to-date with updates and service packs
- Spam filtering is done with Exchange Server Toolbox V4
- There are no delegate permissions or forwarding rules on either of our accounts
Below is the scrubbed message tracking log - the peculiar thing is that I am the correct recipient, however that e-mail arrives one minute after the incorrect. You'll also note that the two Client IP's, Client Hostnames, Server hostnames and return paths are completely different - as if they've come from two different people.
Timestamp ClientIp ClientHostname ServerIp ServerHostname SourceContext EventId InternalMessageId MessageId TotalBytes RecipientCount MessageSubject Sender ReturnPath
07/09/2013 11:40 2.2.2.2 different.sending.server.com 10.0.0.7 postmaster 08D04A67B764B4DB;2013-07-09T15:40:26.336Z;0 RECEIVE 253201 <6FC8422858D3E0419323DB54F887D2CC390F0BF9@mbx023-w1-ca-10.exch023.domain.local> 8882 1 RE: Server Down? sender@domain.com wrongemail@differentdomain.com
07/09/2013 11:40 myserver MYSERVER 08D04A67B764B4E9;2013-07-09T15:40:54.377Z;0 DELIVER 253201 <6FC8422858D3E0419323DB54F887D2CC390F0BF9@mbx023-w1-ca-10.exch023.domain.local> 9212 1 RE: Server Down? sender@domain.com wrongemail@differentdomain.com
07/09/2013 11:41 1.1.1.1 correct.sending.server.com 10.0.0.7 postmaster 08D04A67B764B4E2;2013-07-09T15:40:42.088Z;0 RECEIVE 253207 <6FC8422858D3E0419323DB54F887D2CC390F0BF9@mbx023-w1-ca-10.exch023.domain.local> 9437 1 RE: Server Down? sender@domain.com sender@domain.com
07/09/2013 11:41 myserver MYSERVER 08D04A67B764B4EF;2013-07-09T15:41:18.790Z;0 DELIVER 253207 <6FC8422858D3E0419323DB54F887D2CC390F0BF9@mbx023-w1-ca-10.exch023.domain.local> 9767 1 RE: Server Down? sender@domain.com sender@domain.com
Does anyone know what might cause this??
EDIT : Sanitized logs of e-mail sent to my colleague
X-Process: ESTProcessDone
Received: from hub023-ca-3.exch023.serverdata.net (1.1.1.1) by
myserver.mydomain.com (10.0.0.7) with Microsoft SMTP Server (TLS) id
14.3.123.3; Tue, 9 Jul 2013 11:40:42 -0400
Received: from MBX023-W1-CA-10.exch023.domain.local ([10.254.8.60]) by
HUB023-CA-3.exch023.domain.local ([10.254.8.36]) with mapi id 14.03.0123.003;
Tue, 9 Jul 2013 08:40:41 -0700
From: sender <sender@domain.com>
To: Me <me@mydomain.com>
Subject: RE: Server Down?
Thread-Topic: Server Down?
Thread-Index: Ac58tY3CMo8EMLUTR3OVT6VTqv9MowAApWDwAACb9EA=
Date: Tue, 9 Jul 2013 15:40:41 +0000
Message-ID: <6FC8422858D3E0419323DB54F887D2CC390F0BF9@mbx023-w1-ca-10.exch023.domain.local>
References: <6FC8422858D3E0419323DB54F887D2CC390F0B9B@mbx023-w1-ca-10.exch023.domain.local>
<DA59270178440942B362BC622B47E790036E3E4C@myserver.mydomain.com>
In-Reply-To: <DA59270178440942B362BC622B47E790036E3E4C@myserver.mydomain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [3.3.3.3]
Content-Type: multipart/alternative;
boundary="_000_6FC8422858D3E0419323DB54F887D2CC390F0BF9mbx023w1ca10exc_"
MIME-Version: 1.0
Return-Path: sender@domain.com
X-MS-Exchange-Organization-AuthSource: myserver.mydomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
EDIT 2 :
After reviewing the anti-spam logs it looks as though my colleague had an e-mail arrive to her at the exact time the incorrect one was delivered to her. The aforementioned e-mail is from the same person / IP address that shows up in "different.sending.server" and "2.2.2.2" Client IP Address.
My colleague never received the e-mail listed above but instead received the one addressed to me.
