Look at my reply to you. All the strange code is in the quoted message I replied to.
-- ME2 On Wed, Jul 22, 2009 at 2:45 PM, <pramatow...@mediageneral.com> wrote: > Outlook 2007SP2 > Exchange 2003SP2 > Message was sent in plain text > > Where you are seeing strange code > > The top line was a path slash slash server slash windows slash system32 slash > logfiles slash w3svc1 > Next line was asterisk blinks asterisk > Next line after I hope so was three periods > Next line after Me was a spacedash > > Beats the heck out of me why it apostrophe s is being rendered that way to > you guys comma I have never seen this before period > > Putting this here so as not to chance adding another message of doom to the > list comma I said grep because I used a program called Windows Grep to pull > out the relevant bits from a massive log file smile > > > -----Original Message----- > From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] > Sent: Wednesday, July 22, 2009 2:22 PM > To: MS-Exchange Admin Issues > Subject: Re: 2k3 message tracking-Resolved > > What are you using for a mailer? I'd love to know what makes these > fantastic codes I keep seeing. > > -- > ME2 > > > > On Wed, Jul 22, 2009 at 2:00 PM, <pramatow...@mediageneral.com> wrote: >> I've grepped out a bit of a log file from my >> +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 >> directory >> >> I can send you- My OWA session Logging on, creating and sending a message >> and logging off. >> Let me know if it's ok to send to your vhcc.edu address. >> >> +ACo-blinks+ACo- >> >> neat and clear manner? I hope so+ICY- >> without HUGE sigs and disclaimers? Check. >> Graphics and other unnecessary additions? Check >> >> Me +IBM- >> list noob? Yep, been here for all of two months tomorrow. >> see inline graphics before? Yep. >> See complaints about inline graphics before today? Nope but duly noted. >> >> reasonably spell checked? Check >> grammatically correct Nope. >> >> >> >> >> -----Original Message----- >> From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- >> Sent: Wednesday, July 22, 2009 11:07 AM >> To: MS-Exchange Admin Issues >> Subject: RE: 2k3 message tracking-Resolved >> >> I don't see anything referencing logins in the iis logs. Anyone care to >> share what it looks like so I know what I'm searching for? >> Maybe I don't have the logging configured correctly or am not looking for >> the right thing. >> All I see in the log is the get, search and propfind and search verbs. >> >> -----Original Message----- >> From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- >> Sent: Wednesday, July 22, 2009 9:48 AM >> To: MS-Exchange Admin Issues >> Subject: RE: 2k3 message tracking-Resolved >> >> Can you find the logons in your server's IIS logs? I'm guessing they are >> going to show a lot of activity if it came through via OWA. >> >> -Bonnie >> >> -----Original Message----- >> From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- >> Sent: Wednesday, July 22, 2009 6:08 AM >> To: MS-Exchange Admin Issues >> Subject: RE: 2k3 message tracking-Resolved >> >> Thanks to all for the suggestions. >> I finally had time to work on this more and found where the two users had >> replied to phishing emails, provided their user name and password. >> Looks like the phishers have a script that runs against owa and sends out >> all the spam. >> The guilty users are being dealt with by their supervisors. I suggested a >> clue-by-four upside the head as they been through security training(twice) >> that addresses this exact issue. >> Oh well, job security. >> One last question. >> Is it possible to tell if the email were dumped into the exchange server via >> owa or an outlook client. >> I'm not seeing any reference to Outlook in the messages so I'm leaning >> towards OWA. >> >> -----Original Message----- >> From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- >> Sent: Tuesday, July 21, 2009 3:49 PM >> To: MS-Exchange Admin Issues >> Subject: RE: 2k3 message tracking >> >> +AD4- When I reset the password on the two accounts that were sending all the >> +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion >> I+IBk-ve come up >> +AD4- with is that these two accounts got their password stolen, and then >> some >> +AD4- script or bot accessed their OWA account and sent all the spam. >> +AD4- >> +AD4- Does that sound possible/logical? >> >> Sounds like the users where phished and from what I've heard, this is very >> common at edu's. You might want to check out installing something like >> Untangle which has an anti-phishing filter >> +ADw-http://www.untangle.com/+AD4- in >> front of your mail server(s). >> >> If you're motivated enough to install a Linux based mail gateway you may >> be >> able to use this nifty scanning software called Kochi which actually tries >> to authenticate to your AD: >> +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- >> >> I guess there's some client based tools too to stem the flow of passwords >> through the browser, check out the Wikipedia article for a list of things >> to >> try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software >> >> +AH4-JasonG >> >> >> >> >> >> >> > > > > >
