I am seeing what strikes me as a strange trend in outgoing mail in my organization.
On our Barracuda spam firewall, I noticed in the Top Spam Senders report that our internal Exchange server is by far the top spam sender, but since the report only shows the source IP of the server, I began digging to see which user accounts the spam is actually coming from.
When I filtered the message log to show only messages that were not allowed or whitelisted and that had the source IP of our Exchange server, almost every single one (there are hundreds just in the past day) has nothing at all in the "From" column, the "Subject" column, or the "Size" column. The majority of the destination addresses seem suspect as well (addresses like 1fd2d31a31dcc6@tryfury.net, info=screen-mail.com@mail64.us4.mcsv.net, etc.). If I view the message details for any of these messages, the message, source, and bayesian data are all empty.
I know that the outgoing messages are being blocked because of the empty sender, as the "Reason" column shows "Sender" for all messages and "Allow Empty Outbound Domain Names" is disabled under Advanced-->Email Protocol. What I do not know is why the messages are being generated in the first place.
What do you all make of this, and what might you suggest as a next step toward getting to the bottom of the issue?
Thanks in advance.
