Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA.
-Bonnie -----Original Message----- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -----Original Message----- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking > When I reset the password on the two accounts that were sending all the > spam, it stopped and hasn’t returned so the only conclusion I’ve come up > with is that these two accounts got their password stolen, and then some > script or bot accessed their OWA account and sent all the spam. > > Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter <http://www.untangle.com/> in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: <http://oss.lboro.ac.uk/kochi1.html> I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
