Wouldn't the "with mapi" bit from the header provided earlier likely indicate that was the case?
Received: from Exchange-Core.taylor.k12.fl.us<http://exchange-core.taylor.k12.fl.us/> ([2002:96b0:25ac::96b0:25ac]) by Exchange-Core.taylor.k12.fl.us <http://exchange-core.taylor.k12.fl.us/> ([2002:96b0:25ac::96b0:25ac]) with mapi On Wed, Jun 16, 2010 at 9:54 AM, John Hornbuckle < [email protected]> wrote: > This is a possibility--and I'm open to all possibilities--but it seems > unlikely that this originated from inside our network. > > The user whose account this came from only accesses the network internally > from one machine, and that machine has been turned off for days. One of my > techs called her this morning, and she said she had been accessing her mail > via OWA from an outside machine. She also said she got some weird message > about her password, and had to reenter it (I know that's vague). > > So I'm trying to determine if it's possible that from the outside, her > account was compromised and an external spam system was able to route mail > through our servers by using her username and password... > > > > -----Original Message----- > From: Oz Casey Dedeal [mailto:[email protected]] > Sent: Wednesday, June 16, 2010 9:35 AM > To: MS-Exchange Admin Issues > Subject: Re: Tracking Down Spam Source > > I would fire up sniffer (Wire Shark etc) or look at firewall logs to see > who is generating the most traffic or eating up your bandwidth and start > taking these clients off line, and deal with them. You might be dealing with > workstation or kind has E-mail worm blasting it out? > > Also it is good to ask yourself why your server AV/ spam engine did not > catch these and alerted you ( assuming you have decent AV/Spam protection as > first defense of line and not letting postini do all the work for inbound > and outbound SMTP traffic. ( If not you can ignore this part) > > Good luck > Ocd > > On 6/16/10, Chris <[email protected]> wrote: > > John, > > > > Do you have a firewall in place that you can log all smtp traffic? > > There is a chance that the spam email *might* not be going through the > > exchange server. > > > > Chris > > > > > > On Wed, Jun 16, 2010 at 7:44 AM, John Hornbuckle < > > [email protected]> wrote: > > > >> I’m ashamed to say that for the first time ever, spam has been > >> generated from my network. All of our outbound mail is routed through > >> Google / Postini, and they cut us off last night after detecting it. I’m > mortified. > >> > >> > >> > >> What I’m needing help with is tracking down the source. I can see who > >> the message claims to be from, and Postini tech support thinks her > >> account really is the source (I assumed the “From:” address had been > >> forged). But even if her account really is the source, I need to know > >> what machine generated the traffic so that I can see what’s running on > it. > >> > >> > >> > >> To be honest, I’m not sure how to do that. My weakness with Exchange > >> is showing. I thought maybe the message tracking tool, which I’ve > >> used to find some of the messages, but I can’t see the originating IP > >> address in there. > >> Some of the entries say “2002:96b0:25ac::96b0:25ac” for the ClientIP. > >> I don’t know what that is. > >> > >> > >> > >> Any pointers? > >> > >> > >> > >> > >> > >> John Hornbuckle > >> > >> MIS Department > >> > >> Taylor County School District > >> > >> www.taylor.k12.fl.us > >> > >> > >> > >> > >> > >> NOTICE: Florida has a broad public records law. Most written > >> communications to or from this entity are public records that will be > >> disclosed to the public and the media upon request. E-mail > >> communications may be subject to public disclosure. > >> > >> > > > > -- > Sent from my mobile device > > Oz Casey Dedeal > Systems Engineer > MVP (exchange) > MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | > Security+|Project+| Server+| > http://smtp25.blogspot.com (Blog) > http://telnet25.wordpress.com (Blog) > http://telnet25.spaces.live.com (Blog) > [email protected] > https://www.mcpvirtualbusinesscard.com/VBCServer/Odedeal/interactivecard > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > >
