to follow up, there was no virus and no need to clean machines, just an auto-reply rule causing the problem. Seems some smartass found a couple of servers that auto-reply and submitted these addresses to this mailbox where someone had set up an auto-reply "thanks for your submission" message.
I still would be interested in knowing how to trace a connection like this. Probably wouldn't work as well for a rule, but what if someone was running a script to auto email? Are there any good references around for what info the various logging levels log? Jeff -----Original Message----- From: Bunting, Jeff Sent: Tuesday, May 28, 2002 4:18 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? I'd like to find out which machine it is. Every machine should have AV on it; could be something new, a script somewhere, or maybe a RAS connected machine. The outgoing emails weren't flagged as infected by Scanmail, so it doesn't appear to be trying to replicate/spread. -----Original Message----- From: Schwartz, Jim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 4:03 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? If it is a shared mailbox then it is easily possible that more than one workstation has been infected. Go clean them all. -----Original Message----- From: Bunting, Jeff [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 3:53 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? Exchange doesn't log IPs unless it is SMTP does it? I think this is using MAPI. let me explain furthur: the message is being sent to our internal exchange server which then kicks it over to another exchange server which runs the internet mail service. I know how to turn on smtp logging, but it is being transferred via the MTA. I thought maybe logging X.400 might do it, but I've found very little info on what all the different logging categories track. this is Exchange 5.5SP4 btw. -----Original Message----- From: Kevin Miller [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 3:42 PM To: MS-Exchange Admin Issues Subject: RE: logging/tracing machine connection? If you can get a header from one of the message you can get the IP. --Kevinm KMAP-SR, M, WLKMMAS, UCC+WCA, And Beyond http://www.daughtry.ca/ For Graphics and WebDesign, GO here! -----Original Message----- From: Jeff Bunting [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 12:39 PM To: MS-Exchange Admin Issues Subject: logging/tracing machine connection? I think I have an infected machine somewhere that is sending out emails through our exchange server. I've blocked the mailbox from sending via the IMS, but would like to trace which machine is sending them. The mailbox is a general shared one, so there are several people who have permission to it. Is there a logging option I can turn on (MTA maybe?) that will let me see which machine/user is sending a mesaage from a particular address? I'm afraid a general catch-all log will be very large. Since I blocked the address, the attempts have become infrequent. List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm