I'd like to find out which machine it is. Every machine should have AV on it; could be something new, a script somewhere, or maybe a RAS connected machine. The outgoing emails weren't flagged as infected by Scanmail, so it doesn't appear to be trying to replicate/spread.
-----Original Message----- From: Schwartz, Jim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 4:03 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? If it is a shared mailbox then it is easily possible that more than one workstation has been infected. Go clean them all. -----Original Message----- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 3:53 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? Exchange doesn't log IPs unless it is SMTP does it? I think this is using MAPI. let me explain furthur: the message is being sent to our internal exchange server which then kicks it over to another exchange server which runs the internet mail service. I know how to turn on smtp logging, but it is being transferred via the MTA. I thought maybe logging X.400 might do it, but I've found very little info on what all the different logging categories track. this is Exchange 5.5SP4 btw. -----Original Message----- From: Kevin Miller [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 3:42 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? If you can get a header from one of the message you can get the IP. --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond http://www.daughtry.ca/ For Graphics and WebDesign, GO here! -----Original Message----- From: Jeff Bunting [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 12:39 PM To: MS-Exchange Admin Issues Subject: logging/tracing machine connection? I think I have an infected machine somewhere that is sending out emails through our exchange server. I've blocked the mailbox from sending via the IMS, but would like to trace which machine is sending them. The mailbox is a general shared one, so there are several people who have permission to it. Is there a logging option I can turn on (MTA maybe?) that will let me see which machine/user is sending a mesaage from a particular address? I'm afraid a general catch-all log will be very large. Since I blocked the address, the attempts have become infrequent. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm