Postini did catch the outbound spam. Not at first-apparently a number of messages did get out. But at some point Postini saw that the messages looked fishy, and it started blocking mail from my server. So at that point, we couldn't get mail to the outside world at all.
I think we're okay for client AV, but in this case that was moot because the spam didn't originate from a client on our network. As for the firewall... I've e-mailed our Cisco guy to talk to him about that-to see if it could/should be doing more. From: Chris [mailto:[email protected]] Sent: Wednesday, June 16, 2010 10:53 AM To: MS-Exchange Admin Issues Subject: Re: Tracking Down Spam Source 1. How come Postini didn't catch this? That would be my very first question. 2. If it got by Postini, what do you have for unified threat management at the firewall? Might be time to re-evaluate what you are using or how you are using it. 3. Between Postini, your firewall, and a good client side AV package, you should be set. I am against running any AV software on the exchange server as it has a tendency to slow things down. But I am very locked down. Chris On Wed, Jun 16, 2010 at 9:42 AM, Eric <[email protected]<mailto:[email protected]>> wrote: We don't have our roles split up, but I am wondering if you have any AV or Anti-Spam software installed on the Exchange servers themselves. We use Exchange AV software on the server itself and then filter incoming and outbound spam at the gateway level. I don't know of any way that Exchange by itself would notice any spam like email being sent with out additional software. On Wed, Jun 16, 2010 at 7:37 AM, John Hornbuckle <[email protected]<mailto:[email protected]>> wrote: Mostly we were relying on Postini, which has previously worked fine. But obviously I need to reconsider. :-) Help me flesh this out... The Edge server is the one that would normally catch this, right? The spam in this case was apparently sent to the Client Access server, which runs OWA, using my user's compromised password. I'm thinking that since the Edge server was receiving the mail from the CA server (which it trusts) and from an authenticated user, it would be inclined not to think the messages were spam even though they were. Or is my logic off? Would the Edge server analyze the messages the same way they would messages from unauthenticated users from the outside world, giving no weight to the fact that they come from an authenticated internal user by way of the CA server? -----Original Message----- From: Oz Casey Dedeal [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, June 16, 2010 9:35 AM To: MS-Exchange Admin Issues Subject: Re: Tracking Down Spam Source I would fire up sniffer (Wire Shark etc) or look at firewall logs to see who is generating the most traffic or eating up your bandwidth and start taking these clients off line, and deal with them. You might be dealing with workstation or kind has E-mail worm blasting it out? Also it is good to ask yourself why your server AV/ spam engine did not catch these and alerted you ( assuming you have decent AV/Spam protection as first defense of line and not letting postini do all the work for inbound and outbound SMTP traffic. ( If not you can ignore this part) Good luck Ocd On 6/16/10, Chris <[email protected]<mailto:[email protected]>> wrote: > John, > > Do you have a firewall in place that you can log all smtp traffic? > There is a chance that the spam email *might* not be going through the > exchange server. > > Chris > > > On Wed, Jun 16, 2010 at 7:44 AM, John Hornbuckle < > [email protected]<mailto:[email protected]>> > wrote: > >> I'm ashamed to say that for the first time ever, spam has been >> generated from my network. All of our outbound mail is routed through >> Google / Postini, and they cut us off last night after detecting it. I'm >> mortified. >> >> >> >> What I'm needing help with is tracking down the source. I can see who >> the message claims to be from, and Postini tech support thinks her >> account really is the source (I assumed the "From:" address had been >> forged). But even if her account really is the source, I need to know >> what machine generated the traffic so that I can see what's running on it. >> >> >> >> To be honest, I'm not sure how to do that. My weakness with Exchange >> is showing. I thought maybe the message tracking tool, which I've >> used to find some of the messages, but I can't see the originating IP >> address in there. >> Some of the entries say "2002:96b0:25ac::96b0:25ac" for the ClientIP. >> I don't know what that is. >> >> >> >> Any pointers? >> >> >> >> >> >> John Hornbuckle >> >> MIS Department >> >> Taylor County School District >> >> www.taylor.k12.fl.us<http://www.taylor.k12.fl.us> >> >> >> >> >> >> NOTICE: Florida has a broad public records law. Most written >> communications to or from this entity are public records that will be >> disclosed to the public and the media upon request. E-mail >> communications may be subject to public disclosure. >> >> > -- Sent from my mobile device Oz Casey Dedeal Systems Engineer MVP (exchange) MCITP (EMA), MCITP (EA), MCITP (SA), MCSE 2003| M+| S+ | MCDST | Security+|Project+| Server+| http://smtp25.blogspot.com (Blog) http://telnet25.wordpress.com (Blog) http://telnet25.spaces.live.com (Blog) [email protected]<mailto:[email protected]> https://www.mcpvirtualbusinesscard.com/VBCServer/Odedeal/interactivecard NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure.
