You don't need grep. You've got Powershell, and select-string.
________________________________ From: Sherry Abercrombie [mailto:[email protected]] Sent: Wednesday, July 22, 2009 2:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep......off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, <[email protected]<mailto:[email protected]>> wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -----Original Message----- From: Micheal Espinola Jr [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, <[email protected]<mailto:[email protected]>> wrote: > I've grepped out a bit of a log file from my > +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 > directory > > I can send you- My OWA session Logging on, creating and sending a message and > logging off. > Let me know if it's ok to send to your vhcc.edu<http://vhcc.edu> address. > > +ACo-blinks+ACo- > > neat and clear manner? I hope so+ICY- > without HUGE sigs and disclaimers? Check. > Graphics and other unnecessary additions? Check > > Me +IBM- > list noob? Yep, been here for all of two months tomorrow. > see inline graphics before? Yep. > See complaints about inline graphics before today? Nope but duly noted. > > reasonably spell checked? Check > grammatically correct Nope. > > > > > -----Original Message----- > From: Glen Johnson > +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-<mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> > Sent: Wednesday, July 22, 2009 11:07 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > I don't see anything referencing logins in the iis logs. Anyone care to > share what it looks like so I know what I'm searching for? > Maybe I don't have the logging configured correctly or am not looking for the > right thing. > All I see in the log is the get, search and propfind and search verbs. > > -----Original Message----- > From: Miller Bonnie L. > +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-<mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0-> > Sent: Wednesday, July 22, 2009 9:48 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > Can you find the logons in your server's IIS logs? I'm guessing they are > going to show a lot of activity if it came through via OWA. > > -Bonnie > > -----Original Message----- > From: Glen Johnson > +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-<mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> > Sent: Wednesday, July 22, 2009 6:08 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > Thanks to all for the suggestions. > I finally had time to work on this more and found where the two users had > replied to phishing emails, provided their user name and password. > Looks like the phishers have a script that runs against owa and sends out all > the spam. > The guilty users are being dealt with by their supervisors. I suggested a > clue-by-four upside the head as they been through security training(twice) > that addresses this exact issue. > Oh well, job security. > One last question. > Is it possible to tell if the email were dumped into the exchange server via > owa or an outlook client. > I'm not seeing any reference to Outlook in the messages so I'm leaning > towards OWA. > > -----Original Message----- > From: Jason Gurtz > +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-<mailto:jasongurtz%2BAEA-npumail.com%2BAF0-> > Sent: Tuesday, July 21, 2009 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking > > +AD4- When I reset the password on the two accounts that were sending all the > +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion > I+IBk-ve come up > +AD4- with is that these two accounts got their password stolen, and then some > +AD4- script or bot accessed their OWA account and sent all the spam. > +AD4- > +AD4- Does that sound possible/logical? > > Sounds like the users where phished and from what I've heard, this is very > common at edu's. You might want to check out installing something like > Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- > in > front of your mail server(s). > > If you're motivated enough to install a Linux based mail gateway you may > be > able to use this nifty scanning software called Kochi which actually tries > to authenticate to your AD: > +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- > > I guess there's some client based tools too to stem the flow of passwords > through the browser, check out the Wikipedia article for a list of things > to > try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software > > +AH4-JasonG > > > > > > > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **************************************************************************************************
