We don't have our roles split up, but I am wondering if you have any AV or Anti-Spam software installed on the Exchange servers themselves. We use Exchange AV software on the server itself and then filter incoming and outbound spam at the gateway level. I don't know of any way that Exchange by itself would notice any spam like email being sent with out additional software.
On Wed, Jun 16, 2010 at 7:37 AM, John Hornbuckle < [email protected]> wrote: > Mostly we were relying on Postini, which has previously worked fine. But > obviously I need to reconsider. :-) > > Help me flesh this out... The Edge server is the one that would normally > catch this, right? The spam in this case was apparently sent to the Client > Access server, which runs OWA, using my user's compromised password. I'm > thinking that since the Edge server was receiving the mail from the CA > server (which it trusts) and from an authenticated user, it would be > inclined not to think the messages were spam even though they were. > > Or is my logic off? Would the Edge server analyze the messages the same way > they would messages from unauthenticated users from the outside world, > giving no weight to the fact that they come from an authenticated internal > user by way of the CA server? > > > > -----Original Message----- > From: Oz Casey Dedeal [mailto:[email protected]] > Sent: Wednesday, June 16, 2010 9:35 AM > To: MS-Exchange Admin Issues > Subject: Re: Tracking Down Spam Source > > I would fire up sniffer (Wire Shark etc) or look at firewall logs to see > who is generating the most traffic or eating up your bandwidth and start > taking these clients off line, and deal with them. You might be dealing with > workstation or kind has E-mail worm blasting it out? > > Also it is good to ask yourself why your server AV/ spam engine did not > catch these and alerted you ( assuming you have decent AV/Spam protection as > first defense of line and not letting postini do all the work for inbound > and outbound SMTP traffic. ( If not you can ignore this part) > > Good luck > Ocd > > On 6/16/10, Chris <[email protected]> wrote: > > John, > > > > Do you have a firewall in place that you can log all smtp traffic? > > There is a chance that the spam email *might* not be going through the > > exchange server. > > > > Chris > > > > > > On Wed, Jun 16, 2010 at 7:44 AM, John Hornbuckle < > > [email protected]> wrote: > > > >> I’m ashamed to say that for the first time ever, spam has been > >> generated from my network. All of our outbound mail is routed through > >> Google / Postini, and they cut us off last night after detecting it. I’m > mortified. > >> > >> > >> > >> What I’m needing help with is tracking down the source. I can see who > >> the message claims to be from, and Postini tech support thinks her > >> account really is the source (I assumed the “From:” address had been > >> forged). But even if her account really is the source, I need to know > >> what machine generated the traffic so that I can see what’s running on > it. > >> > >> > >> > >> To be honest, I’m not sure how to do that. My weakness with Exchange > >> is showing. I thought maybe the message tracking tool, which I’ve > >> used to find some of the messages, but I can’t see the originating IP > >> address in there. > >> Some of the entries say “2002:96b0:25ac::96b0:25ac” for the ClientIP. > >> I don’t know what that is. > >> > >> > >> > >> Any pointers? > >> > >> > >> > >> > >> > >> John Hornbuckle > >> > >> MIS Department > >> > >> Taylor County School District > >> > >> www.taylor.k12.fl.us > >> > >> > >> > >> > >> > >> NOTICE: Florida has a broad public records law. Most written > >> communications to or from this entity are public records that will be > >> disclosed to the public and the media upon request. E-mail > >> communications may be subject to public disclosure. > >> > >> > > > > -- > Sent from my mobile device > > Oz Casey Dedeal > Systems Engineer > MVP (exchange) > MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | > Security+|Project+| Server+| > http://smtp25.blogspot.com (Blog) > http://telnet25.wordpress.com (Blog) > http://telnet25.spaces.live.com (Blog) > [email protected] > https://www.mcpvirtualbusinesscard.com/VBCServer/Odedeal/interactivecard > > > > > > NOTICE: Florida has a broad public records law. Most written communications > to or from this entity are public records that will be disclosed to the > public and the media upon request. E-mail communications may be subject to > public disclosure. > >
