Yup, grep is quite a tool if not meaningfully named - like vi - at least tail gives you a clue.
________________________________ From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep......off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, <pramatow...@mediageneral.com> wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -----Original Message----- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, <pramatow...@mediageneral.com> wrote: > I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory > > I can send you- My OWA session Logging on, creating and sending a message and logging off. > Let me know if it's ok to send to your vhcc.edu address. > > +ACo-blinks+ACo- > > neat and clear manner? I hope so+ICY- > without HUGE sigs and disclaimers? Check. > Graphics and other unnecessary additions? Check > > Me +IBM- > list noob? Yep, been here for all of two months tomorrow. > see inline graphics before? Yep. > See complaints about inline graphics before today? Nope but duly noted. > > reasonably spell checked? Check > grammatically correct Nope. > > > > > -----Original Message----- > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> > Sent: Wednesday, July 22, 2009 11:07 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? > Maybe I don't have the logging configured correctly or am not looking for the right thing. > All I see in the log is the get, search and propfind and search verbs. > > -----Original Message----- > From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- <mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0-> > Sent: Wednesday, July 22, 2009 9:48 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. > > -Bonnie > > -----Original Message----- > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> > Sent: Wednesday, July 22, 2009 6:08 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > Thanks to all for the suggestions. > I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. > Looks like the phishers have a script that runs against owa and sends out all the spam. > The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. > Oh well, job security. > One last question. > Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. > I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. > > -----Original Message----- > From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- <mailto:jasongurtz%2BAEA-npumail.com%2BAF0-> > Sent: Tuesday, July 21, 2009 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking > > +AD4- When I reset the password on the two accounts that were sending all the > +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up > +AD4- with is that these two accounts got their password stolen, and then some > +AD4- script or bot accessed their OWA account and sent all the spam. > +AD4- > +AD4- Does that sound possible/logical? > > Sounds like the users where phished and from what I've heard, this is very > common at edu's. You might want to check out installing something like > Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- in > front of your mail server(s). > > If you're motivated enough to install a Linux based mail gateway you may > be > able to use this nifty scanning software called Kochi which actually tries > to authenticate to your AD: > +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- > > I guess there's some client based tools too to stem the flow of passwords > through the browser, check out the Wikipedia article for a list of things > to > try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software > > +AH4-JasonG > > > > > > > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States
