+100 although I HAVE become a great procrastinator! From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, June 16, 2010 10:05 AM To: MS-Exchange Admin Issues Subject: RE: Tracking Down Spam Source
Would it? I wasn't sure how to interpret that. I'm a Jack of all trades, master of none. I wish I knew Exchange more intimately, but I don't-and maintaining our system here is one of just many, many hats I wear. So I have to be "good enough" at a lot of stuff, which doesn't give me time to be great at much. :-/ From: Richard Stovall [mailto:[email protected]] Sent: Wednesday, June 16, 2010 9:59 AM To: MS-Exchange Admin Issues Subject: Re: Tracking Down Spam Source Wouldn't the "with mapi" bit from the header provided earlier likely indicate that was the case? Received: from Exchange-Core.taylor.k12.fl.us<http://exchange-core.taylor.k12.fl.us/> ([2002:96b0:25ac::96b0:25ac]) by Exchange-Core.taylor.k12.fl.us<http://exchange-core.taylor.k12.fl.us/> ([2002:96b0:25ac::96b0:25ac]) with mapi On Wed, Jun 16, 2010 at 9:54 AM, John Hornbuckle <[email protected]<mailto:[email protected]>> wrote: This is a possibility--and I'm open to all possibilities--but it seems unlikely that this originated from inside our network. The user whose account this came from only accesses the network internally from one machine, and that machine has been turned off for days. One of my techs called her this morning, and she said she had been accessing her mail via OWA from an outside machine. She also said she got some weird message about her password, and had to reenter it (I know that's vague). So I'm trying to determine if it's possible that from the outside, her account was compromised and an external spam system was able to route mail through our servers by using her username and password... -----Original Message----- From: Oz Casey Dedeal [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, June 16, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: Tracking Down Spam Source I would fire up sniffer (Wire Shark etc) or look at firewall logs to see who is generating the most traffic or eating up your bandwidth and start taking these clients off line, and deal with them. You might be dealing with workstation or kind has E-mail worm blasting it out? Also it is good to ask yourself why your server AV/ spam engine did not catch these and alerted you ( assuming you have decent AV/Spam protection as first defense of line and not letting postini do all the work for inbound and outbound SMTP traffic. ( If not you can ignore this part) Good luck Ocd On 6/16/10, Chris <[email protected]<mailto:[email protected]>> wrote: > John, > > Do you have a firewall in place that you can log all smtp traffic? > There is a chance that the spam email *might* not be going through the > exchange server. > > Chris > > > On Wed, Jun 16, 2010 at 7:44 AM, John Hornbuckle < > [email protected]<mailto:[email protected]>> > wrote: > >> I'm ashamed to say that for the first time ever, spam has been >> generated from my network. All of our outbound mail is routed through >> Google / Postini, and they cut us off last night after detecting it. I'm >> mortified. >> >> >> >> What I'm needing help with is tracking down the source. I can see who >> the message claims to be from, and Postini tech support thinks her >> account really is the source (I assumed the "From:" address had been >> forged). But even if her account really is the source, I need to know >> what machine generated the traffic so that I can see what's running on it. >> >> >> >> To be honest, I'm not sure how to do that. My weakness with Exchange >> is showing. I thought maybe the message tracking tool, which I've >> used to find some of the messages, but I can't see the originating IP >> address in there. >> Some of the entries say "2002:96b0:25ac::96b0:25ac" for the ClientIP. >> I don't know what that is. >> >> >> >> Any pointers? >> >> >> >> >> >> John Hornbuckle >> >> MIS Department >> >> Taylor County School District >> >> www.taylor.k12.fl.us<http://www.taylor.k12.fl.us> >> >> >> >> >> >> NOTICE: Florida has a broad public records law. Most written >> communications to or from this entity are public records that will be >> disclosed to the public and the media upon request. E-mail >> communications may be subject to public disclosure. >> >> > -- Sent from my mobile device Oz Casey Dedeal Systems Engineer MVP (exchange) MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | Security+|Project+| Server+| http://smtp25.blogspot.com (Blog) http://telnet25.wordpress.com (Blog) http://telnet25.spaces.live.com (Blog) [email protected]<mailto:[email protected]> https://www.mcpvirtualbusinesscard.com/VBCServer/Odedeal/interactivecard NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments.
