Re: Message tracking log documentation
Does this help? http://allcomputers.us/windows_server/integrating-client-access-into-exchange-server-2010-design.aspx Outlook MAPI—Traditional MAPI access has been replaced with MAPI on the Middle Tier (MoMT), which enables Outlook clients to communicate through the CAS servers. Outlook versions that support access to Exchange Server 2010 servers are limited to the 2003, 2007, and 2010 versions of Outlook. On Fri, Nov 2, 2012 at 3:10 PM, Campbell, Rob rob_campb...@centraltechnology.net wrote: Anybody know where to find the documentation on the abbreviations used for ClientType in the SourceContext field of an E2010 Submit event? ** ** Specifically, what kind of client does MOMT represent? ** ** Can’t seem to find that documented anywhere…… ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: Message tracking log documentation
On Fri, Nov 2, 2012 at 12:10 PM, Campbell, Rob rob_campb...@centraltechnology.net wrote: Anybody know where to find the documentation on the abbreviations used for ClientType in the SourceContext field of an E2010 Submit event? Specifically, what kind of client does MOMT represent? Can’t seem to find that documented anywhere…… MAPI on the Middle Tier. I'm guessing this: http://blogs.technet.com/b/jribeiro/archive/2009/09/18/exchange-2010-mapi-on-the-middle-tier.aspx and this: http://www.msexchange.org/articles_tutorials/exchange-server-2007/planning-architecture/uncovering-new-rpc-client-access-service-exchange-2010-part1.html Kurt --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Message tracking log documentation
Yes it does. Thanks. Kind of sad that there doesn't seem to be an MS documentation on it. From: Candee [mailto:can...@gmail.com] Sent: Friday, November 02, 2012 2:22 PM To: MS-Exchange Admin Issues Subject: Re: Message tracking log documentation Does this help? http://allcomputers.us/windows_server/integrating-client-access-into-exchange-server-2010-design.aspx Outlook MAPI-Traditional MAPI access has been replaced with MAPI on the Middle Tier (MoMT), which enables Outlook clients to communicate through the CAS servers. Outlook versions that support access to Exchange Server 2010 servers are limited to the 2003, 2007, and 2010 versions of Outlook. On Fri, Nov 2, 2012 at 3:10 PM, Campbell, Rob rob_campb...@centraltechnology.netmailto:rob_campb...@centraltechnology.net wrote: Anybody know where to find the documentation on the abbreviations used for ClientType in the SourceContext field of an E2010 Submit event? Specifically, what kind of client does MOMT represent? Can't seem to find that documented anywhere.. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Problem with Message Tracking Report
Lori, Sometimes when exporting to a CSV file you 'lose' information. Someone smarter than I can tell you why but I know it is necessary to covert this 'value' to a 'string' like using {$_.recipients} I use message tracking a lot so the command would be Get-MessageTrackingLog -Sender m...@mydomain.com -Start 10-23-2012 00:00:00 am -End 10-23-2012 10:00:00 am -Server YourHubTransportServer | Select-Object TimeStamp, Sender, Recipients, MessageSubject This will work however when you add | Export-Csv FilePath\ExportFile.csv to this; then you get blanks in the recipients column. Here is the command with proper syntax to convert this value. Get-MessageTrackingLog -Sender m...@mydomain.com -Start 10-23-2012 00:00:00 am -End 10-23-2012 10:00:00 am -Server YourHubTransportServer | Select-Object TimeStamp, Sender, {$_.Recipients}, MessageSubject | Export-Csv FilePath\ExportFile.csv Steven Alfano Sr. Systems Administrator salf...@rockefeller.edu www.rockefeller.edu -Original Message- From: Lori Binner [mailto:lbin...@jjkeller.com] Sent: Monday, October 22, 2012 4:54 PM To: MS-Exchange Admin Issues Subject: Problem with Message Tracking Report Hello- Using Exchange 2010 Sp1 Rollup 6. When I run a report in the ECP's Tracking Log Explorer and specify my mailbox in the Sender field along with the EventID of SEND, and hit next, I DO see the Recipients that I sent my emails to. However, if I copy that same commandlet of that page to Exchange PowerShell and tell it to export it to a csv file, it does not have a column showing those recipients for the emails I sent. Could someone please let me know what I could be doing incorrectly? Thanks, Lori --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Problem with Message Tracking Report
Thanks to you Mike...very helpful and saved my day! -Original Message- From: Steven Alfano [mailto:salf...@mail.rockefeller.edu] Sent: Tuesday, October 23, 2012 9:26 AM To: MS-Exchange Admin Issues Subject: RE: Problem with Message Tracking Report Lori, Sometimes when exporting to a CSV file you 'lose' information. Someone smarter than I can tell you why but I know it is necessary to covert this 'value' to a 'string' like using {$_.recipients} I use message tracking a lot so the command would be Get-MessageTrackingLog -Sender m...@mydomain.com -Start 10-23-2012 00:00:00 am -End 10-23-2012 10:00:00 am -Server YourHubTransportServer | Select-Object TimeStamp, Sender, Recipients, MessageSubject This will work however when you add | Export-Csv FilePath\ExportFile.csv to this; then you get blanks in the recipients column. Here is the command with proper syntax to convert this value. Get-MessageTrackingLog -Sender m...@mydomain.com -Start 10-23-2012 00:00:00 am -End 10-23-2012 10:00:00 am -Server YourHubTransportServer | Select-Object TimeStamp, Sender, {$_.Recipients}, MessageSubject | Export-Csv FilePath\ExportFile.csv Steven Alfano Sr. Systems Administrator salf...@rockefeller.edu www.rockefeller.edu -Original Message- From: Lori Binner [mailto:lbin...@jjkeller.com] Sent: Monday, October 22, 2012 4:54 PM To: MS-Exchange Admin Issues Subject: Problem with Message Tracking Report Hello- Using Exchange 2010 Sp1 Rollup 6. When I run a report in the ECP's Tracking Log Explorer and specify my mailbox in the Sender field along with the EventID of SEND, and hit next, I DO see the Recipients that I sent my emails to. However, if I copy that same commandlet of that page to Exchange PowerShell and tell it to export it to a csv file, it does not have a column showing those recipients for the emails I sent. Could someone please let me know what I could be doing incorrectly? Thanks, Lori --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist This electronic communication may contain confidential information. If you believe you have received this message in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Problem with Message Tracking Report
Sorry, to quick on the keyboard. Meant to say Michael :) -Original Message- From: Binner, Lori A Sent: Tuesday, October 23, 2012 9:37 AM To: MS-Exchange Admin Issues Subject: RE: Problem with Message Tracking Report Thanks to you Mike...very helpful and saved my day! -Original Message- From: Steven Alfano [mailto:salf...@mail.rockefeller.edu] Sent: Tuesday, October 23, 2012 9:26 AM To: MS-Exchange Admin Issues Subject: RE: Problem with Message Tracking Report Lori, Sometimes when exporting to a CSV file you 'lose' information. Someone smarter than I can tell you why but I know it is necessary to covert this 'value' to a 'string' like using {$_.recipients} I use message tracking a lot so the command would be Get-MessageTrackingLog -Sender m...@mydomain.com -Start 10-23-2012 00:00:00 am -End 10-23-2012 10:00:00 am -Server YourHubTransportServer | Select-Object TimeStamp, Sender, Recipients, MessageSubject This will work however when you add | Export-Csv FilePath\ExportFile.csv to this; then you get blanks in the recipients column. Here is the command with proper syntax to convert this value. Get-MessageTrackingLog -Sender m...@mydomain.com -Start 10-23-2012 00:00:00 am -End 10-23-2012 10:00:00 am -Server YourHubTransportServer | Select-Object TimeStamp, Sender, {$_.Recipients}, MessageSubject | Export-Csv FilePath\ExportFile.csv Steven Alfano Sr. Systems Administrator salf...@rockefeller.edu www.rockefeller.edu -Original Message- From: Lori Binner [mailto:lbin...@jjkeller.com] Sent: Monday, October 22, 2012 4:54 PM To: MS-Exchange Admin Issues Subject: Problem with Message Tracking Report Hello- Using Exchange 2010 Sp1 Rollup 6. When I run a report in the ECP's Tracking Log Explorer and specify my mailbox in the Sender field along with the EventID of SEND, and hit next, I DO see the Recipients that I sent my emails to. However, if I copy that same commandlet of that page to Exchange PowerShell and tell it to export it to a csv file, it does not have a column showing those recipients for the emails I sent. Could someone please let me know what I could be doing incorrectly? Thanks, Lori --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist This electronic communication may contain confidential information. If you believe you have received this message in error, please notify the sender by reply transmission and delete the message without copying or disclosing it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Problem with Message Tracking Report
Hello- Using Exchange 2010 Sp1 Rollup 6. When I run a report in the ECP's Tracking Log Explorer and specify my mailbox in the Sender field along with the EventID of SEND, and hit next, I DO see the Recipients that I sent my emails to. However, if I copy that same commandlet of that page to Exchange PowerShell and tell it to export it to a csv file, it does not have a column showing those recipients for the emails I sent. Could someone please let me know what I could be doing incorrectly? Thanks, Lori --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Problem with Message Tracking Report
Pipe the output to | fl * You can match the format-list output (or select-object output) to match exactly what ECP shows you, if you wish. -Original Message- From: Lori Binner [mailto:lbin...@jjkeller.com] Sent: Monday, October 22, 2012 4:54 PM To: MS-Exchange Admin Issues Subject: Problem with Message Tracking Report Hello- Using Exchange 2010 Sp1 Rollup 6. When I run a report in the ECP's Tracking Log Explorer and specify my mailbox in the Sender field along with the EventID of SEND, and hit next, I DO see the Recipients that I sent my emails to. However, if I copy that same commandlet of that page to Exchange PowerShell and tell it to export it to a csv file, it does not have a column showing those recipients for the emails I sent. Could someone please let me know what I could be doing incorrectly? Thanks, Lori --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Give Help Desk Message Tracking Rigths
Hello all, We have an Exchange 2010 SP1. We are getting some questions about the tracking of messages. I was wondering what I should do to give the Exchange Help Desk security group access to use the message-tracking. If I recall right, it is done with RBAC but I have no idea how... Thnx! Met vriendelijke groeten, KHLim Katholieke Hogeschool Limburg Associatie KULeuven http://www.khlim.behttp://www.khlim.be/ Tim Vandael ICT Systeembeheerder Campus Diepenbeek, Agoralaan gebouw B, bus 1, 3590 Diepenbeek T +32 11 23 08 94 - F +32 11 23 07 89 - G +32 476 22 45 22 tim.vand...@khlim.bemailto:tim.vand...@khlim.be --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelistinline: image001.gif
RE: Give Help Desk Message Tracking Rigths
http://lmgtfy.com/?q=exchange+2010+sp1+message+tracking+role+rbac+site%3A*.microsoft.com The first hit tells you how to use it, the second hit how to assign it. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Vandael Tim [mailto:tim.vand...@khlim.be] Sent: Monday, May 16, 2011 4:23 AM To: MS-Exchange Admin Issues Subject: Give Help Desk Message Tracking Rigths Hello all, We have an Exchange 2010 SP1. We are getting some questions about the tracking of messages. I was wondering what I should do to give the Exchange Help Desk security group access to use the message-tracking. If I recall right, it is done with RBAC but I have no idea how... Thnx! Met vriendelijke groeten, KHLim Katholieke Hogeschool Limburg Associatie KULeuven http://www.khlim.behttp://www.khlim.be/ Tim Vandael ICT Systeembeheerder Campus Diepenbeek, Agoralaan gebouw B, bus 1, 3590 Diepenbeek T +32 11 23 08 94 - F +32 11 23 07 89 - G +32 476 22 45 22 tim.vand...@khlim.bemailto:tim.vand...@khlim.be --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelistinline: image001.gif
RE: Give Help Desk Message Tracking Rigths
Thnx Michael, and to be honest I sent it to fast... Should have looked a bit further :) Met vriendelijke groeten, KHLim Katholieke Hogeschool Limburg Associatie KULeuven http://www.khlim.behttp://www.khlim.be/ Tim Vandael ICT Systeembeheerder Campus Diepenbeek, Agoralaan gebouw B, bus 1, 3590 Diepenbeek T +32 11 23 08 94 - F +32 11 23 07 89 - G +32 476 22 45 22 tim.vand...@khlim.bemailto:tim.vand...@khlim.be From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: maandag 16 mei 2011 13:24 To: MS-Exchange Admin Issues Subject: RE: Give Help Desk Message Tracking Rigths http://lmgtfy.com/?q=exchange+2010+sp1+message+tracking+role+rbac+site%3A*.microsoft.com The first hit tells you how to use it, the second hit how to assign it. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Vandael Tim [mailto:tim.vand...@khlim.be] Sent: Monday, May 16, 2011 4:23 AM To: MS-Exchange Admin Issues Subject: Give Help Desk Message Tracking Rigths Hello all, We have an Exchange 2010 SP1. We are getting some questions about the tracking of messages. I was wondering what I should do to give the Exchange Help Desk security group access to use the message-tracking. If I recall right, it is done with RBAC but I have no idea how... Thnx! Met vriendelijke groeten, KHLim Katholieke Hogeschool Limburg Associatie KULeuven http://www.khlim.behttp://www.khlim.be/ Tim Vandael ICT Systeembeheerder Campus Diepenbeek, Agoralaan gebouw B, bus 1, 3590 Diepenbeek T +32 11 23 08 94 - F +32 11 23 07 89 - G +32 476 22 45 22 tim.vand...@khlim.bemailto:tim.vand...@khlim.be --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelistinline: image001.gif
RE: Message Tracking in mixed 2003/2010
I figured it out in PS, now just trying to format the output correctly. From: Sam Cayze [mailto:sca...@gmail.com] Sent: Monday, January 17, 2011 1:40 PM To: MS-Exchange Admin Issues Subject: Message Tracking in mixed 2003/2010 Curious about to track messages sent from a 2003 mailbox that essentially leave the SMTP queue on a 2010 server. Message tracking on 2003 reports the message was send to the 2010 server for external delivery. Message tracking on 2010 requires that you enter a 2010 to search for (no can do, this message was sent from a 2003 mailbox). Other than search the raw smtp log or raw message tracking logs, how would I 'normally' do this? TIA, Sam --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
quick 2010 message tracking log question
Are the tracking logs in Exchange 2010 in the same format as those produced by Exchange 2003? (Or something similar?) In 2003 they are simply tab delimited files of the following format. # Message Tracking Log File # Exchange System Attendant Version 6.5.7638.1 # Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address We've got a need to slice and dice these outside of the Exchange context, and I'm curious how this would work in the 2010 world. Thanks folks, RS --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: quick 2010 message tracking log question
The idea is the same. In Exchange 2007/2010 they are CSV, not tab delimited. And they contain more data. I process them in PowerShell and using LogParser with no problems. YMMV. #Software: Microsoft Exchange Server #Version: 14.0.0.0 #Log-type: Message Tracking Log #Date: 2010-11-21T00:06:19.765Z #Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard Stovall [mailto:rich...@gmail.com] Sent: Friday, December 17, 2010 5:17 PM To: MS-Exchange Admin Issues Subject: quick 2010 message tracking log question Are the tracking logs in Exchange 2010 in the same format as those produced by Exchange 2003? (Or something similar?) In 2003 they are simply tab delimited files of the following format. # Message Tracking Log File # Exchange System Attendant Version 6.5.7638.1 # Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address We've got a need to slice and dice these outside of the Exchange context, and I'm curious how this would work in the 2010 world. Thanks folks, RS --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2010 message tracking tool alternative?
More specifically, the Get-MessageTrackingLog cmdlet (http://technet.microsoft.com/en-us/library/aa997573.aspx) is what you're looking for. Something like the following would do what you want for the last 24 hours: Get-MessageTrackingLog -Server servername -Sender a...@internetdomain.com -Date (Get-Date).AddDays(-1) That command has quite a few options to it-check out the TechNet article linked above. I use some form of it almost every day. Also useful is the Get-AgentLog cmdlet (http://technet.microsoft.com/en-us/library/aa996044.aspx) on an edge transport or a hub transport with the anti-spam agents installed: Use the Get-AgentLog cmdlet to parse log files that you specify as parameters and collect raw statistics from the filtering that anti-spam agents apply during a time period that you specify. Note that you may want to up max file size / max directory size for message tracking logs if you notice that your data doesn't go back far enough. Check out the {Get,Set}-TransportServer cmdlets and look for the MessageTrackingLog* properties: [PS] Get-TransportServer | fl Name,MessageTracking* MessageTrackingLogEnabled : True MessageTrackingLogMaxAge: 30.00:00:00 MessageTrackingLogMaxDirectorySize : 8 GB (8,589,934,592 bytes) MessageTrackingLogMaxFileSize : 250 MB (262,144,000 bytes) MessageTrackingLogPath : E:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking MessageTrackingLogSubjectLoggingEnabled : True --- seth wright (wrigh...@jmu.edu) lead exchange administrator 540.568.2912 (office) james madison university From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, December 08, 2010 5:42 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2010 message tracking tool alternative? Drop to the command prompt (Exchange Management Shell). You can do darn near anything. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Nelson Siqueiros [mailto:nsiquei...@escalate.com] Sent: Wednesday, December 08, 2010 5:31 PM To: MS-Exchange Admin Issues Subject: Exchange 2010 message tracking tool alternative? We recently upgraded from Exchange 2003 to 2010. Everything is fine but the message tracking tool is very limited compared to Exchange 2003. For example... if we want to find any messages that came from a...@internetdomain.commailto:a...@internetdomain.com to any internal users it's not possible since you have to select a single specific mailbox to search at and there is no option to change the server name. I'm not sure why MS did this but do you guys know of any alternatives to the built in tracking tool? Any input would be appreciated. Thanks This email and the information included in this transmission are privileged and confidential and intended only for the recipient listed above. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. If you are not the intended recipient, you are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based upon it, is strictly prohibited. Although this email and any attachments are believed to be free of any virus or other defects which might affect any computer or IT system into which they are received, neither Escalate Retail nor any of its affiliates shall be liable for any loss or damage arising in any way from the receipt or use thereof. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2010 message tracking tool alternative?
Argh. Okay, so I was correct: I do use *some form* of that command almost every day, but the command below won't actually work (haven't had my coffee yet this morning). The -Date parameter should have been -Start. There is also a corresponding -End param, if you want to put upper and / or lower bounds on your query. --- Seth From: Wright, Seth - wrightst [mailto:wrigh...@jmu.edu] Sent: Thursday, December 09, 2010 9:30 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2010 message tracking tool alternative? More specifically, the Get-MessageTrackingLog cmdlet (http://technet.microsoft.com/en-us/library/aa997573.aspx) is what you're looking for. Something like the following would do what you want for the last 24 hours: Get-MessageTrackingLog -Server servername -Sender a...@internetdomain.commailto:a...@internetdomain.com -Date (Get-Date).AddDays(-1) That command has quite a few options to it-check out the TechNet article linked above. I use some form of it almost every day. Also useful is the Get-AgentLog cmdlet (http://technet.microsoft.com/en-us/library/aa996044.aspx) on an edge transport or a hub transport with the anti-spam agents installed: Use the Get-AgentLog cmdlet to parse log files that you specify as parameters and collect raw statistics from the filtering that anti-spam agents apply during a time period that you specify. Note that you may want to up max file size / max directory size for message tracking logs if you notice that your data doesn't go back far enough. Check out the {Get,Set}-TransportServer cmdlets and look for the MessageTrackingLog* properties: [PS] Get-TransportServer | fl Name,MessageTracking* MessageTrackingLogEnabled : True MessageTrackingLogMaxAge: 30.00:00:00 MessageTrackingLogMaxDirectorySize : 8 GB (8,589,934,592 bytes) MessageTrackingLogMaxFileSize : 250 MB (262,144,000 bytes) MessageTrackingLogPath : E:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking MessageTrackingLogSubjectLoggingEnabled : True --- seth wright (wrigh...@jmu.edumailto:wrigh...@jmu.edu) lead exchange administrator 540.568.2912 (office) james madison university From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, December 08, 2010 5:42 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2010 message tracking tool alternative? Drop to the command prompt (Exchange Management Shell). You can do darn near anything. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Nelson Siqueiros [mailto:nsiquei...@escalate.com] Sent: Wednesday, December 08, 2010 5:31 PM To: MS-Exchange Admin Issues Subject: Exchange 2010 message tracking tool alternative? We recently upgraded from Exchange 2003 to 2010. Everything is fine but the message tracking tool is very limited compared to Exchange 2003. For example... if we want to find any messages that came from a...@internetdomain.commailto:a...@internetdomain.com to any internal users it's not possible since you have to select a single specific mailbox to search at and there is no option to change the server name. I'm not sure why MS did this but do you guys know of any alternatives to the built in tracking tool? Any input would be appreciated. Thanks This email and the information included in this transmission are privileged and confidential and intended only for the recipient listed above. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. If you are not the intended recipient, you are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based upon it, is strictly prohibited. Although this email and any attachments are believed to be free of any virus or other defects which might affect any computer or IT system into which they are received, neither Escalate Retail nor any of its affiliates shall be liable for any loss or damage arising in any way from the receipt or use thereof. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
Exchange 2010 message tracking tool alternative?
We recently upgraded from Exchange 2003 to 2010. Everything is fine but the message tracking tool is very limited compared to Exchange 2003. For example... if we want to find any messages that came from a...@internetdomain.commailto:a...@internetdomain.com to any internal users it's not possible since you have to select a single specific mailbox to search at and there is no option to change the server name. I'm not sure why MS did this but do you guys know of any alternatives to the built in tracking tool? Any input would be appreciated. Thanks This email and the information included in this transmission are privileged and confidential and intended only for the recipient listed above. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. If you are not the intended recipient, you are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based upon it, is strictly prohibited. Although this email and any attachments are believed to be free of any virus or other defects which might affect any computer or IT system into which they are received, neither Escalate Retail nor any of its affiliates shall be liable for any loss or damage arising in any way from the receipt or use thereof. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2010 message tracking tool alternative?
Drop to the command prompt (Exchange Management Shell). You can do darn near anything. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Nelson Siqueiros [mailto:nsiquei...@escalate.com] Sent: Wednesday, December 08, 2010 5:31 PM To: MS-Exchange Admin Issues Subject: Exchange 2010 message tracking tool alternative? We recently upgraded from Exchange 2003 to 2010. Everything is fine but the message tracking tool is very limited compared to Exchange 2003. For example... if we want to find any messages that came from a...@internetdomain.commailto:a...@internetdomain.com to any internal users it's not possible since you have to select a single specific mailbox to search at and there is no option to change the server name. I'm not sure why MS did this but do you guys know of any alternatives to the built in tracking tool? Any input would be appreciated. Thanks This email and the information included in this transmission are privileged and confidential and intended only for the recipient listed above. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. If you are not the intended recipient, you are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based upon it, is strictly prohibited. Although this email and any attachments are believed to be free of any virus or other defects which might affect any computer or IT system into which they are received, neither Escalate Retail nor any of its affiliates shall be liable for any loss or damage arising in any way from the receipt or use thereof. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Exchange 2007 Message tracking - find the source machine.
Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
In the message tracking, what is the source of the first RECEIVE event for this message? Is it STOREDRIVER or SMTP? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
Wouldn't it be in the header of the email when it was received ? CFee From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 9:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
Storedriver And the mail in the message header only shows our external IP address as is expected. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: 29 September 2010 15:21 To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message tracking - find the source machine. In the message tracking, what is the source of the first RECEIVE event for this message? Is it STOREDRIVER or SMTP? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
If it says Storedriver, then it was sent from his mailbox on the Exchange server. The mailbox server's tracking logs don't record the receive events, so unless you had mailbox auditing enabled I don't think there's any way determine what the client source was. Have you checked the dumpster to see if it's there? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 9:55 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message tracking - find the source machine. Storedriver And the mail in the message header only shows our external IP address as is expected. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: 29 September 2010 15:21 To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message tracking - find the source machine. In the message tracking, what is the source of the first RECEIVE event for this message? Is it STOREDRIVER or SMTP? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Exporting results of message tracking?
On Exchange 2003, if I use the Message Tracking Centre to search for messages it can produce quite a long list. Is there a way to export it as sending a bunch of screenshots at different scroll points looks a bit naff... -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exporting results of message tracking?
Right-click export-to-xml See the XSL that helps here: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchange-message-tracking.aspx (I see I have a dead picture link, I'll check that out, but it doesn't affect the content you need.) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:12 PM To: MS-Exchange Admin Issues Subject: Exporting results of message tracking? On Exchange 2003, if I use the Message Tracking Centre to search for messages it can produce quite a long list. Is there a way to export it as sending a bunch of screenshots at different scroll points looks a bit naff... MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exporting results of message tracking?
Silly question I'm sure but right-click where - there's nothing I can see in ESM? I've read the article and I'm not entirely clear tbh, I have three months' worth of logs and would like a list of messages sent to a given address. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: 15 September 2010 18:18 To: MS-Exchange Admin Issues Subject: RE: Exporting results of message tracking? Right-click export-to-xml See the XSL that helps here: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchang e-message-tracking.aspx (I see I have a dead picture link, I'll check that out, but it doesn't affect the content you need.) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:12 PM To: MS-Exchange Admin Issues Subject: Exporting results of message tracking? On Exchange 2003, if I use the Message Tracking Centre to search for messages it can produce quite a long list. Is there a way to export it as sending a bunch of screenshots at different scroll points looks a bit naff... MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exporting results of message tracking?
[cid:image001.png@01CB54DA.4B828600] Given how much data you have, you might be better off with this, instead: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/more-exchange-message-tracking.aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:25 PM To: MS-Exchange Admin Issues Subject: RE: Exporting results of message tracking? Silly question I'm sure but right-click where - there's nothing I can see in ESM? I've read the article and I'm not entirely clear tbh, I have three months' worth of logs and would like a list of messages sent to a given address. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: 15 September 2010 18:18 To: MS-Exchange Admin Issues Subject: RE: Exporting results of message tracking? Right-click export-to-xml See the XSL that helps here: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchange-message-tracking.aspx (I see I have a dead picture link, I'll check that out, but it doesn't affect the content you need.) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:12 PM To: MS-Exchange Admin Issues Subject: Exporting results of message tracking? On Exchange 2003, if I use the Message Tracking Centre to search for messages it can produce quite a long list. Is there a way to export it as sending a bunch of screenshots at different scroll points looks a bit naff... MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelistinline: image001.png
RE: Exporting results of message tracking?
Ahh sorry I don't want an export of the tracking for each message from message history, just a simple from/to/subject/date listing for a given recipient and a given date range, literally what the message tracking centre shows you but won't let you do anything with. I've read the link and I'm being dumb but I don't get it - do I run that on the Exchange box or copy the logs off somewhere local (and safe) or what exactly? I'm not a coder but from what I can make out it works against a single tracking log and I have 90 or so. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: 15 September 2010 18:31 To: MS-Exchange Admin Issues Subject: RE: Exporting results of message tracking? Given how much data you have, you might be better off with this, instead: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/more-ex change-message-tracking.aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:25 PM To: MS-Exchange Admin Issues Subject: RE: Exporting results of message tracking? Silly question I'm sure but right-click where - there's nothing I can see in ESM? I've read the article and I'm not entirely clear tbh, I have three months' worth of logs and would like a list of messages sent to a given address. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: 15 September 2010 18:18 To: MS-Exchange Admin Issues Subject: RE: Exporting results of message tracking? Right-click export-to-xml See the XSL that helps here: http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchang e-message-tracking.aspx (I see I have a dead picture link, I'll check that out, but it doesn't affect the content you need.) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, September 15, 2010 1:12 PM To: MS-Exchange Admin Issues Subject: Exporting results of message tracking? On Exchange 2003, if I use the Message Tracking Centre to search for messages it can produce quite a long list. Is there a way to export it as sending a bunch of screenshots at different scroll points looks a bit naff... MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelistimage001.png
RE: Exporting results of message tracking?
That's cool, thanks Michael. For what I need this time around I'll just make do with screenshots. In a few months we should be on Exchange 2010 so if the need arises then, I'll re-explore the options. Thanks again. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Re: LogParser and Message Tracking
Michael, The command you provided worked perfectly, thanks so much! - Sean On Wed, Aug 11, 2010 at 4:47 PM, Michael B. Smith mich...@smithcons.comwrote: So? Does logparser work for you otherwise? LogParser.exe -i:W3C -o:TSV select TO_TIMESTAMP( STRCAT( '2010-09-10', STRCAT(' ', STRREV( SUB( STRREV( TIME ) , 'TMG ') ))),'-MM-dd h:m:s') AS DateTime, Recipient-Address AS RcptAddress, MSGID, Number-Recipients AS NumRcpts, Message-Subject AS Subject, Sender-Address AS Sender from 20100812.log to myfile.tab GROUP BY DateTime, MSGID, Recipient-Address, Number-Recipients, Message-Subject, Sender-Address -filemode:0 Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ *From:* Sean Martin [mailto:seanmarti...@gmail.com] *Sent:* Wednesday, August 11, 2010 8:42 PM *To:* MS-Exchange Admin Issues *Subject:* Re: LogParser and Message Tracking Yes, it is enabled. I can find the subject in various logs manually, just trying to figure why logparser wont find it. On Aug 11, 2010, at 4:34 PM, Michael B. Smith mich...@smithcons.com wrote: Well, the number one question I have is whether you have “subject logging” turned on for that Exchange server… Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ *From:* Sean Martin [mailto:seanmarti...@gmail.com] *Sent:* Wednesday, August 11, 2010 4:12 PM *To:* MS-Exchange Admin Issues *Subject:* LogParser and Message Tracking Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
RE: LogParser and Message Tracking
At that moment when the wheels begin to turn the brain, usually think to myself now gone, there comes a deep breath buckshot! LOL From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Thursday, August 12, 2010 10:39 AM To: MS-Exchange Admin Issues Subject: Re: LogParser and Message Tracking Rubens, I appreciate the link. Your examples actually provided quite informative. Plus, it was an entertaining read after having Google translate the site for me. http://tinyurl.com/245tmws - Sean On Thu, Aug 12, 2010 at 7:37 AM, Sean Martin seanmarti...@gmail.com wrote: Michael, The command you provided worked perfectly, thanks so much! - Sean On Wed, Aug 11, 2010 at 4:47 PM, Michael B. Smith mich...@smithcons.com wrote: So? Does logparser work for you otherwise? LogParser.exe -i:W3C -o:TSV select TO_TIMESTAMP( STRCAT( '2010-09-10', STRCAT(' ', STRREV( SUB( STRREV( TIME ) , 'TMG ') ))),'-MM-dd h:m:s') AS DateTime, Recipient-Address AS RcptAddress, MSGID, Number-Recipients AS NumRcpts, Message-Subject AS Subject, Sender-Address AS Sender from 20100812.log to myfile.tab GROUP BY DateTime, MSGID, Recipient-Address, Number-Recipients, Message-Subject, Sender-Address -filemode:0 Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, August 11, 2010 8:42 PM To: MS-Exchange Admin Issues Subject: Re: LogParser and Message Tracking Yes, it is enabled. I can find the subject in various logs manually, just trying to figure why logparser wont find it. On Aug 11, 2010, at 4:34 PM, Michael B. Smith mich...@smithcons.com wrote: Well, the number one question I have is whether you have subject logging turned on for that Exchange server... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, August 11, 2010 4:12 PM To: MS-Exchange Admin Issues Subject: LogParser and Message Tracking Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
LogParser and Message Tracking
Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
RE: LogParser and Message Tracking
Well, the number one question I have is whether you have subject logging turned on for that Exchange server... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, August 11, 2010 4:12 PM To: MS-Exchange Admin Issues Subject: LogParser and Message Tracking Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
Re: LogParser and Message Tracking
Yes, it is enabled. I can find the subject in various logs manually, just trying to figure why logparser wont find it. On Aug 11, 2010, at 4:34 PM, Michael B. Smith mich...@smithcons.com wrote: Well, the number one question I have is whether you have “subject lo gging” turned on for that Exchange server… Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, August 11, 2010 4:12 PM To: MS-Exchange Admin Issues Subject: LogParser and Message Tracking Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
Re: LogParser and Message Tracking
This is where my inexperience with logparser starts to shine. I use it successfully to gather activesync data from the logs on my frontend server, but that involves a pre-built sql query i found on one of the exchange sites. I'll give your example a shot when im back in the office tomorrow. Thanks! - Sean On Aug 11, 2010, at 4:47 PM, Michael B. Smith mich...@smithcons.com wrote: So? Does logparser work for you otherwise? LogParser.exe -i:W3C -o:TSV select TO_TIMESTAMP( STRCAT ( '2010-09-10', STRCAT(' ', STRREV( SUB( STRREV( TIME ) , 'TMG ') ))),'-MM-dd h:m:s') AS DateTime, Recipient-Address AS RcptAddress, MSGID, Number-Recipients AS NumRcpts, Message-Subject AS Subject, Sender-Address AS Sender from 20100812.log to myfile.tab GROUP BY DateTime, MSGID, Recipient-Address, Number-Recipients, Message-Subject, Sender-Address -filemode:0 Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, August 11, 2010 8:42 PM To: MS-Exchange Admin Issues Subject: Re: LogParser and Message Tracking Yes, it is enabled. I can find the subject in various logs manually, just trying to figure why logparser wont find it. On Aug 11, 2010, at 4:34 PM, Michael B. Smith mich...@smithcons.com wrote: Well, the number one question I have is whether you have “subject lo gging” turned on for that Exchange server… Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Sean Martin [mailto:seanmarti...@gmail.com] Sent: Wednesday, August 11, 2010 4:12 PM To: MS-Exchange Admin Issues Subject: LogParser and Message Tracking Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
Re: LogParser and Message Tracking
I've been playing with PowerShell, LogParser and Tracking logs on a major issue on one of our clients and I've put some information about on my blog the problem is it's Portuguese... If you don't mind that, you try to read the PS and LP code here: http://rcalmeida.net/blog/?p=93 Hope it helps :) On Wed, Aug 11, 2010 at 5:11 PM, Sean Martin seanmarti...@gmail.com wrote: Hello all, I'm trying to use log parser against my Exchange 2003 Message Tracking logs to gather some data. Initially, I'm just trying to count the number of e-mail messages with a specific subject line. I'm running the following command against a log that I know contains messages with the subject in question, however my results are returning 0 instances. Here's the command I'm running: logparser.exe -i:W3C SELECT * FROM '\\ServerName\Path\LogName' WHERE Message-Subject like'ExampleSubject' -O:CSV c:\test.csv I'm actually calling this from another batch script so that I can pass the log name as a variable, since my goal is to search all logs. I've also tried specifying a single log file name that I know contains what I'm looking for. Ultimately I'd like to capture the sender and recipient information for all messages sent with a specific subject, but I think I need to at least get an idea of how many messages I'm dealing with. Any help would be greatly appreciated. - Sean
RE: restoring and replaying message tracking logs
That is exactly right. You can restore all your tracking log files and search via esm, or for that matter there are a couple of good utilities to search the logs with, even I access to a powershell script that searches the logs. All you have to do is have them in the right directory and exchange will search through them. From: KevinM [mailto:kev...@wlkmmas.org] Sent: Monday, August 10, 2009 7:41 PM To: MS-Exchange Admin Issues Subject: RE: restoring and replaying message tracking logs The default setting is to keep tracking logs for only 7 days. If I recall... If you want more turn it up. I cannot think of a way to restore tracking logs; I'm thinking SOL there. ~Kevinm WLKMMAS- This message is Certified Swine Flu Free My life http://www.hedonists.cahttp://www.hedonists.ca/ From: Eldridge, Dave [mailto:d...@parkviewmc.com] Sent: Monday, August 10, 2009 3:07 PM To: MS-Exchange Admin Issues Subject: restoring and replaying message tracking logs Exchange 2003 sp2 Is it possible to restore older tracking logs and replay them within ESM Message tracking? Somehow my logs got reset to 7 days before they fall off. Is it just a matter of disk space as far as how long to keep them? thanks This e-mail contains the thoughts and opinions of the sender and does not represent official Parkview Medical Center policy. This communication is intended only for the recipient(s) named above, may be confidential and/or legally privileged: and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please return to sender and delete the message from your computer system.
restoring and replaying message tracking logs
Exchange 2003 sp2 Is it possible to restore older tracking logs and replay them within ESM Message tracking? Somehow my logs got reset to 7 days before they fall off. Is it just a matter of disk space as far as how long to keep them? thanks This message contains confidential information and is intended only for the intended recipient(s). If you are not the named recipient you should not read, distribute or copy this e-mail. Please notify the sender immediately via e-mail if you have received this e-mail by mistake; then, delete this e-mail from your system.
RE: restoring and replaying message tracking logs
The default setting is to keep tracking logs for only 7 days. If I recall... If you want more turn it up. I cannot think of a way to restore tracking logs; I'm thinking SOL there. ~Kevinm WLKMMAS- This message is Certified Swine Flu Free My life http://www.hedonists.cahttp://www.hedonists.ca/ From: Eldridge, Dave [mailto:d...@parkviewmc.com] Sent: Monday, August 10, 2009 3:07 PM To: MS-Exchange Admin Issues Subject: restoring and replaying message tracking logs Exchange 2003 sp2 Is it possible to restore older tracking logs and replay them within ESM Message tracking? Somehow my logs got reset to 7 days before they fall off. Is it just a matter of disk space as far as how long to keep them? thanks This e-mail contains the thoughts and opinions of the sender and does not represent official Parkview Medical Center policy. This communication is intended only for the recipient(s) named above, may be confidential and/or legally privileged: and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please return to sender and delete the message from your computer system.
RE: 2k3 message tracking-Resolved
Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
RE: 2k3 message tracking-Resolved
If they used the mailbox (Outlook or OWA) you'd see something in sent items. This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn’t in my sent items but the hotmail account got it. I’d guess the script used did the same thing, just a whole lot faster! . -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 9:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG image003.jpg
RE: 2k3 message tracking-Resolved
Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
Re: 2k3 message tracking-Resolved
You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-.+ADw-img width+AD0-383 height+AD0-242 id+AD0AIg-Picture+AF8-x0020+AF8-1+ACI- src+AD0AIg-cid:image003.jpg+AEA-01CA0AB1.8E1A0700+ACIAPgA8-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4--Original Message-+ADw-br+AD4- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- +ADw-br+AD4- Sent: Wednesday, July 22, 2009 9:08 AM+ADw-br+AD4- To: MS-Exchange Admin Issues+ADw-br+AD4- Subject: RE: 2k3 message tracking-Resolved+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Thanks to all for the suggestions.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Looks like the phishers have a script that runs against owa and sends out all the spam.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-The guilty users are being dealt
RE: 2k3 message tracking-Resolved
Ok, I have no idea what did that. if someone can clue-by-four me on what I did wrong, I'd sure appreciate it... Outlook 2K7, E2K3, and a snag-it screenshot. Text of my message was this- If they used the mailbox (Outlook or OWA) you'd see something in sent items. This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn't in my sent items but the hotmail account got it. I'd guess the script used did the same thing, just a whole lot faster! With a message tracking screenshot... -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 9:54 AM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: snip
RE: 2k3 message tracking-Resolved
It looked fine for me Ronald Wulff Jr 412.288.3601 rwu...@reedsmith.com Reed Smith LLP 20 Stanwix St Suite 1200 Pittsburgh, PA 15222 -Original Message- From: pramatow...@mediageneral.com [mailto:pramatow...@mediageneral.com] Sent: Wednesday, July 22, 2009 10:13 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Ok, I have no idea what did that. if someone can clue-by-four me on what I did wrong, I'd sure appreciate it... Outlook 2K7, E2K3, and a snag-it screenshot. Text of my message was this- If they used the mailbox (Outlook or OWA) you'd see something in sent items. This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn't in my sent items but the hotmail account got it. I'd guess the script used did the same thing, just a whole lot faster! With a message tracking screenshot... -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 9:54 AM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: snip * * * This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation. * * * To ensure compliance with Treasury Department regulations, we inform you that, unless otherwise indicated in writing, any U.S. Federal tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (1) avoiding penalties under the Internal Revenue Code or applicable state and local provisions or (2) promoting, marketing or recommending to another party any tax-related matters addressed herein. Disclaimer Version RS.US.1.01.03 pdc1
Making sure all can read... (was RE: 2k3 message tracking-Resolved)
All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- /p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-.+ADw-img width+AD0-383 height+AD0- 242 id+AD0AIg-Picture+AF8-x0020+AF8-1+ACI- src+AD0AIg-cid:image003.jpg+AEA-01CA0AB1.8E1A0700+ACIAPgA8-o:p+AD4APA- /o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- /p+AD4- +ADw-p class+AD0-MsoPlainText+AD4--Original Message-+ADw- br+AD4- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- +ADw-br+AD4
RE: 2k3 message tracking-Resolved
Yes the sent messages are on the two users sent item folder. Thousands of them. From: pramatow...@mediageneral.com [mailto:pramatow...@mediageneral.com] Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved If they used the mailbox (Outlook or OWA) you'd see something in sent items. This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn’t in my sent items but the hotmail account got it. I’d guess the script used did the same thing, just a whole lot faster! . -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 9:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG image001.jpg
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Thank you for the clarification. So *without* using my Mozilla mail client, a quick glance at the online posting (second iframe) at: http://lyris.sunbelt-software.com/read/messages?id=746292 and expanding thus: http://lyris.sunbelt-software.com/read/archive?id=746296 sort of says it all. I think it behoves us all to post in a neat and clear manner, without HUGE sigs and disclaimers, graphics and other unnecessary additions, reasonably spell checked and grammatically correct to the best of our abilities. For heaven's sake people, how difficult is it to create an additional identity (text only) for posting to this list? -- Peter van Houten On the 22/07/2009 16:20, Jason Gurtz wrote the following: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- snip
RE: 2k3 message tracking-Resolved
I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- /p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-.+ADw-img width+AD0-383 height+AD0- 242 id+AD0AIg-Picture+AF8-x0020+AF8-1+ACI- src+AD0AIg-cid:image003.jpg+AEA-01CA0AB1.8E1A0700+ACIAPgA8-o:p
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
ME2 and I both do it, it's painless and works H Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.commailto:jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.commailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
On Wed, Jul 22, 2009 at 11:18 AM, Andy Shookandy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H…. Settle down, Beavis. -- B
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
the pain comes later when I'm home alone. -- ME2 On Wed, Jul 22, 2009 at 11:18 AM, Andy Shookandy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H…. Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
I think there are only two people I have ever seen messages with those codes from. Otherwise, Gmail for reading this list is a great experience. The message threading/grouping is well done. -- ME2 On Wed, Jul 22, 2009 at 11:17 AM, Sherry Abercrombiesaber...@gmail.com wrote: Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
LOL, it worked.I knew that Shookie would have to make a comment about that when I typed it.;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook andy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H…. Shook *From:* Sherry Abercrombie [mailto:saber...@gmail.com] *Sent:* Wednesday, July 22, 2009 11:18 AM *To:* MS-Exchange Admin Issues *Subject:* Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
With a bag of cheesy poofs and the evangelist of the day pumping through the TV wondering why Shookie won't call you back. :-) - Original Message - From: Micheal Espinola Jr michealespin...@gmail.com To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Sent: Wednesday, July 22, 2009 11:21 AM Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) the pain comes later when I'm home alone. -- ME2 On Wed, Jul 22, 2009 at 11:18 AM, Andy Shookandy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H…. Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Does that make you a Shook troll? Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:23 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) LOL, it worked.I knew that Shookie would have to make a comment about that when I typed it.;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook andy.sh...@peak10.commailto:andy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H Shook From: Sherry Abercrombie [mailto:saber...@gmail.commailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.commailto:jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.commailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Trolling, yup, and you went for it, hook, line and sinker ;) On Wed, Jul 22, 2009 at 10:27 AM, Andy Shook andy.sh...@peak10.com wrote: Does that make you a Shook troll? Shook *From:* Sherry Abercrombie [mailto:saber...@gmail.com] *Sent:* Wednesday, July 22, 2009 11:23 AM *To:* MS-Exchange Admin Issues *Subject:* Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) LOL, it worked.I knew that Shookie would have to make a comment about that when I typed it.;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook andy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H…. Shook *From:* Sherry Abercrombie [mailto:saber...@gmail.com] *Sent:* Wednesday, July 22, 2009 11:18 AM *To:* MS-Exchange Admin Issues *Subject:* Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Congrats on the trophy. Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:31 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Trolling, yup, and you went for it, hook, line and sinker ;) On Wed, Jul 22, 2009 at 10:27 AM, Andy Shook andy.sh...@peak10.commailto:andy.sh...@peak10.com wrote: Does that make you a Shook troll? Shook From: Sherry Abercrombie [mailto:saber...@gmail.commailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:23 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) LOL, it worked.I knew that Shookie would have to make a comment about that when I typed it.;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook andy.sh...@peak10.commailto:andy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H Shook From: Sherry Abercrombie [mailto:saber...@gmail.commailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.commailto:jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.commailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Sounds boring, eh? -sc -Original Message- From: Andy Shook andy.sh...@peak10.com Sent: Wednesday, July 22, 2009 11:19 AM To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Subject: RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved) ME2 and I both do it, it's painless and works H . Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
We just crossed in to painful territory. -sc -Original Message- From: Sherry Abercrombie saber...@gmail.com Sent: Wednesday, July 22, 2009 11:31 AM To: MS-Exchange Admin Issues exchangelist@lyris.sunbelt-software.com Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Trolling, yup, and you went for it, hook, line and sinker ;) On Wed, Jul 22, 2009 at 10:27 AM, Andy Shook andy.sh...@peak10.com wrote: Does that make you a Shook troll? Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:23 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) LOL, it worked.I knew that Shookie would have to make a comment about that when I typed it.;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook andy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H . Shook From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works. On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz jasongu...@npumail.com wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99
RE: 2k3 message tracking-Resolved
I've grepped out a bit of a log file from my \\server\c$\WINDOWS\system32\LogFiles\W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. *blinks* neat and clear manner?I hope so… without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me – list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
Re: 2k3 message tracking-Resolved
What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner? I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software +AH4-JasonG
Re: 2k3 message tracking-Resolved
Based on the grep statement, I would guess it's a *nix based email application, but that's just a guess. On Wed, Jul 22, 2009 at 1:22 PM, Micheal Espinola Jr michealespin...@gmail.com wrote: What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw- http://www.untangle.com/+AD4- in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software +AH4-JasonG -- Sherry Abercrombie Any sufficiently advanced technology is indistinguishable from magic. Arthur C. Clarke
RE: 2k3 message tracking-Resolved
Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner? I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software +AH4-JasonG
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Personally, I think this is a reasonable method of communication always - in a neat and clear manner, without HUGE sigs and disclaimers, graphics and other unnecessary additions, reasonably spell checked and grammatically correct to the best of our abilities. We DO add a disclaimer as instructed by legal but the rest -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 8:01 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Thank you for the clarification. So *without* using my Mozilla mail client, a quick glance at the online posting (second iframe) at: http://lyris.sunbelt-software.com/read/messages?id=746292 and expanding thus: http://lyris.sunbelt-software.com/read/archive?id=746296 sort of says it all. I think it behoves us all to post in a neat and clear manner, without HUGE sigs and disclaimers, graphics and other unnecessary additions, reasonably spell checked and grammatically correct to the best of our abilities. For heaven's sake people, how difficult is it to create an additional identity (text only) for posting to this list? -- Peter van Houten On the 22/07/2009 16:20, Jason Gurtz wrote the following: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG -Original Message- From: Peter van Houten [mailto:peter...@gmail.com] Sent: Wednesday, July 22, 2009 09:54 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved You have to be joking! Jason G. help him... -- Peter van Houten On the 22/07/2009 15:48, pramatow...@mediageneral.com wrote the following: +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- snip
Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
On Wed, Jul 22, 2009 at 2:50 PM, Don Andrewsdon.andr...@safeway.com wrote: We DO add a disclaimer as instructed by legal but the rest One of the several reasons I use a web mail account is so I don't annoy others with disclaimers and that sort of crap. Sometimes I see those This message is confidential... statements and feel like replying: I know exactly how to solve your problem, but unfortunately, since your message was confidential, I had to delete it. Other benefits to using a web mail account for this sort of thing: * Clearly separate on-list activities from job-related, official communications * I can change jobs but keep the same on-list identity * A conveniently searchable archive of the wealth of knowledge from lists (like a knowledge base) * Don't have to worry about my out-of-office message going to lists * I can get to this list from any web-connected device; there is nothing sensitive in this account so I don't sweat security * I'm not cluttering my work mailbox with non-work stuff -- Ben
Re: 2k3 message tracking-Resolved
LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw- http://www.untangle.com/+AD4- in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries
RE: 2k3 message tracking-Resolved
Www dot wingrep dot com is what im using atm From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 3:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep
RE: 2k3 message tracking-Resolved
If you don't need a gui interface there's actually native ports (including installers and no Cygwin needed!) of most gnu utils available. Check out gnuwin32.sf.net, click packages and click grep. The only drawback I find is that using these tools inhibits my groking of powershell a bit since it's a throwing around text vs. throwing around objects situation. Whee! ~JasonG -Original Message- From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 15:10 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw- c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA- mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA- mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
+1 I've noticed something strange happening recently. I used to be subscribed with my corp. account but unsubscribed set up this account. Sometimes though when I reply to an email from my hotmail account, my corp. email starts getting the ntsysadmin messages. It seems like it re-subscribes the account. Then, I have to send a message and unsubscribe. Date: Wed, 22 Jul 2009 15:01:48 -0400 Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) From: mailvor...@gmail.com To: exchangelist@lyris.sunbelt-software.com On Wed, Jul 22, 2009 at 2:50 PM, Don Andrewsdon.andr...@safeway.com wrote: We DO add a disclaimer as instructed by legal but the rest One of the several reasons I use a web mail account is so I don't annoy others with disclaimers and that sort of crap. Sometimes I see those This message is confidential... statements and feel like replying: I know exactly how to solve your problem, but unfortunately, since your message was confidential, I had to delete it. Other benefits to using a web mail account for this sort of thing: * Clearly separate on-list activities from job-related, official communications * I can change jobs but keep the same on-list identity * A conveniently searchable archive of the wealth of knowledge from lists (like a knowledge base) * Don't have to worry about my out-of-office message going to lists * I can get to this list from any web-connected device; there is nothing sensitive in this account so I don't sweat security * I'm not cluttering my work mailbox with non-work stuff -- Ben _ Windows Live™ Hotmail®: Celebrate the moment with your favorite sports pics. Check it out. http://www.windowslive.com/Online/Hotmail/Campaign/QuickAdd?ocid=TXT_TAGLM_WL_QA_HM_sports_photos_072009cat=sports
Re: 2k3 message tracking-Resolved
On Wed, Jul 22, 2009 at 3:18 PM, pramatow...@mediageneral.com wrote: Www dot wingrep dot com is what im using atm $30 per computer for a glorified GUI wrapper for grep? No thanks. I'll stick with the command-line version. It's Free. :-) There are free GUIs for it, too, though I've never used them, and they may suck. -- Ben
Re: 2k3 message tracking-Resolved
I'm a reluctant *nix admin, so I'll take gui over command line any day. ;) On Wed, Jul 22, 2009 at 2:25 PM, Jason Gurtz jasongu...@npumail.com wrote: If you don't need a gui interface there's actually native ports (including installers and no Cygwin needed!) of most gnu utils available. Check out gnuwin32.sf.net, click packages and click grep. The only drawback I find is that using these tools inhibits my groking of powershell a bit since it's a throwing around text vs. throwing around objects situation. Whee! ~JasonG -Original Message- From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 15:10 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw- c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-gjohnson%252BAEA-vhcc.edu%252BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-millerbl%2BAEA- mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA- millerbl%252BAEA- mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-gjohnson%252BAEA-vhcc.edu%252BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out
Re: 2k3 message tracking-Resolved
Look at my reply to you. All the strange code is in the quoted message I replied to. -- ME2 On Wed, Jul 22, 2009 at 2:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner? I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software +AH4-JasonG
Re: 2k3 message tracking-Resolved
Your message was encoded with UTF-7 -- ME2 On Wed, Jul 22, 2009 at 2:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code
RE: 2k3 message tracking-Resolved
My condolences. -sc From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 3:31 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved I'm a reluctant *nix admin, so I'll take gui over command line any day. ;) On Wed, Jul 22, 2009 at 2:25 PM, Jason Gurtz jasongu...@npumail.com wrote: If you don't need a gui interface there's actually native ports (including installers and no Cygwin needed!) of most gnu utils available. Check out gnuwin32.sf.net, click packages and click grep. The only drawback I find is that using these tools inhibits my groking of powershell a bit since it's a throwing around text vs. throwing around objects situation. Whee! ~JasonG -Original Message- From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 15:10 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw- c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%252BAEA-vhcc.edu%252BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA- mailto:millerbl%2BAEA- mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA- mailto:millerbl%252BAEA- mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%252BAEA-vhcc.edu%252BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Oops, I guess I misspoke - we DO add a disclaimer but I suppress it on messages to this and other lists. If I had something saying This message is confidential..., I'd understand if it was summarily deleted. Since my job includes much about email if not always Exchange specific, I consider this list job related. My next job change will be to retired - so loss of list identity is ok. Searchable archive can be done internally as well as externally. My out of office does not go to the list - or the internet. I can get to the list from any web connected device - or my Blackberry. The computers I use to access Outlook or OWA and my Blackberry all have delete keys to relieve the clutter. All this (from my perspective at least) demonstrate that web mail works for you - my way works for me. Isn't freedom of choice great? -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, July 22, 2009 12:02 PM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) On Wed, Jul 22, 2009 at 2:50 PM, Don Andrewsdon.andr...@safeway.com wrote: We DO add a disclaimer as instructed by legal but the rest One of the several reasons I use a web mail account is so I don't annoy others with disclaimers and that sort of crap. Sometimes I see those This message is confidential... statements and feel like replying: I know exactly how to solve your problem, but unfortunately, since your message was confidential, I had to delete it. Other benefits to using a web mail account for this sort of thing: * Clearly separate on-list activities from job-related, official communications * I can change jobs but keep the same on-list identity * A conveniently searchable archive of the wealth of knowledge from lists (like a knowledge base) * Don't have to worry about my out-of-office message going to lists * I can get to this list from any web-connected device; there is nothing sensitive in this account so I don't sweat security * I'm not cluttering my work mailbox with non-work stuff -- Ben
RE: 2k3 message tracking-Resolved
Yup, grep is quite a tool if not meaningfully named - like vi - at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- mailto:jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw-http
Re: 2k3 message tracking-Resolved
I really really dislike vi, really I do. On Wed, Jul 22, 2009 at 3:30 PM, Don Andrews don.andr...@safeway.comwrote: Yup, grep is quite a tool if not meaningfully named – like vi – at least tail gives you a clue. -- *From:* Sherry Abercrombie [mailto:saber...@gmail.com] *Sent:* Wednesday, July 22, 2009 12:10 PM *To:* MS-Exchange Admin Issues *Subject:* Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible
RE: 2k3 message tracking-Resolved
I'd agree, except that being able to do things like piping the live tail of a log into grep to filter for things like IP or certain strings just tickled me. Not sure that'd work with a gui. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:31 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved I'm a reluctant *nix admin, so I'll take gui over command line any day. ;) On Wed, Jul 22, 2009 at 2:25 PM, Jason Gurtz jasongu...@npumail.com wrote: If you don't need a gui interface there's actually native ports (including installers and no Cygwin needed!) of most gnu utils available. Check out gnuwin32.sf.net, click packages and click grep. The only drawback I find is that using these tools inhibits my groking of powershell a bit since it's a throwing around text vs. throwing around objects situation. Whee! ~JasonG -Original Message- From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 15:10 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw- c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%252BAEA-vhcc.edu%252BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA- mailto:millerbl%2BAEA- mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA- mailto:millerbl%252BAEA- mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- mailto:gjohnson%252BAEA-vhcc.edu%252BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues
RE: 2k3 message tracking-Resolved
Apologies in advance to everyone, I don't have another place where this happens... Does * equal asterisk this time? -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 3:44 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved Your message was encoded with UTF-7 -- ME2 On Wed, Jul 22, 2009 at 2:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code
RE: 2k3 message tracking-Resolved
Sure thing. I'd appreciate seeing the log of a session. Glen. -Original Message- From: pramatow...@mediageneral.com [mailto:pramatow...@mediageneral.com] Sent: Wednesday, July 22, 2009 2:01 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I've grepped out a bit of a log file from my \\server\c$\WINDOWS\system32\LogFiles\W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. *blinks* neat and clear manner?I hope so… without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me – list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. [mailto:mille...@mukilteo.wednet.edu] Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
RE: 2k3 message tracking-Resolved
Agree wholeheartedly - am very happy to be able to say I no longer have any access to our *nix servers. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 1:34 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved I really really dislike vi, really I do. On Wed, Jul 22, 2009 at 3:30 PM, Don Andrews don.andr...@safeway.com wrote: Yup, grep is quite a tool if not meaningfully named - like vi - at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- mailto:jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so
RE: 2k3 message tracking-Resolved
Wuss. Vi (vim) is my preferred editor. It rocks! From: Don Andrews [don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 5:07 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Agree wholeheartedly – am very happy to be able to say I no longer have any access to our *nix servers. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 1:34 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved I really really dislike vi, really I do. On Wed, Jul 22, 2009 at 3:30 PM, Don Andrews don.andr...@safeway.commailto:don.andr...@safeway.com wrote: Yup, grep is quite a tool if not meaningfully named – like vi – at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.commailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.eduhttp://vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference
RE: 2k3 message tracking-Resolved
It isn't? It is? -sc From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 4:31 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Yup, grep is quite a tool if not meaningfully named - like vi - at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- mailto:jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical
RE: 2k3 message tracking-Resolved
You don't need grep. You've got Powershell, and select-string. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 2:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.eduhttp://vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-mailto:jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You
RE: 2k3 message tracking-Resolved
grep - global regular expression print (i think - close anyway) vi - visual editor Both make sense to me. From: Steven M. Caesare [scaes...@caesare.com] Sent: Wednesday, July 22, 2009 6:21 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved It isn’t? It is? -sc From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 4:31 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Yup, grep is quite a tool if not meaningfully named – like vi – at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.commailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.commailto:pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.eduhttp://vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-mailto:jasongurtz%2BAEA-npumail.com%2BAF0- Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange
RE: 2k3 message tracking-Resolved
True 'nuff. Wuss works - can't even bowl without beering (can beer without bowling tho). From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Wednesday, July 22, 2009 3:20 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Wuss. Vi (vim) is my preferred editor. It rocks! From: Don Andrews [don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 5:07 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Agree wholeheartedly - am very happy to be able to say I no longer have any access to our *nix servers. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 1:34 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved I really really dislike vi, really I do. On Wed, Jul 22, 2009 at 3:30 PM, Don Andrews don.andr...@safeway.com wrote: Yup, grep is quite a tool if not meaningfully named - like vi - at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible
Re: 2k3 message tracking-Resolved
Here's some power for you: http://oreilly.com/openbook/utp/ http://www.gnu.org/software/coreutils/manual/ http://www.faqs.org/docs/artu/ch01s06.html On Wed, Jul 22, 2009 at 12:30, Sherry Abercrombiesaber...@gmail.com wrote: I'm a reluctant *nix admin, so I'll take gui over command line any day. ;) On Wed, Jul 22, 2009 at 2:25 PM, Jason Gurtz jasongu...@npumail.com wrote: If you don't need a gui interface there's actually native ports (including installers and no Cygwin needed!) of most gnu utils available. Check out gnuwin32.sf.net, click packages and click grep. The only drawback I find is that using these tools inhibits my groking of powershell a bit since it's a throwing around text vs. throwing around objects situation. Whee! ~JasonG -Original Message- From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 15:10 To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw- c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner? I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA- mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA- mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like
RE: 2k3 message tracking-Resolved
Exactly. Almost all of the unix tools have a meaningful (if non-obvious) name. -sc From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Wednesday, July 22, 2009 6:22 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved grep - global regular expression print (i think - close anyway) vi - visual editor Both make sense to me. From: Steven M. Caesare [scaes...@caesare.com] Sent: Wednesday, July 22, 2009 6:21 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved It isn't? It is? -sc From: Don Andrews [mailto:don.andr...@safeway.com] Sent: Wednesday, July 22, 2009 4:31 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Yup, grep is quite a tool if not meaningfully named - like vi - at least tail gives you a clue. From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 12:10 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved LOL, well, usually only someone with *nix experience would even use the word grep because most windows admins have no clue what grep is. Never heard of this Windows Grep..off to Google to have a look at it. On Wed, Jul 22, 2009 at 1:45 PM, pramatow...@mediageneral.com wrote: Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -Original Message- From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, pramatow...@mediageneral.com wrote: I've grepped out a bit of a log file from my +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. +ACo-blinks+ACo- neat and clear manner?I hope so+ICY- without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me +IBM- list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -Original Message- From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- mailto:millerbl%2BAEA-mukilteo.wednet.edu%2BAF0- Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -Original Message- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -Original Message- From
RE: Making sure all can read... (was RE: 2k3 message tracking-Resolved)
Throw a piece of bait like that in front of him and yep, he’s going to bite. Greetings from the Middle of Nowhere, Afghanistan. John H. Matteson, Jr. Systems Administrator/ITT Systems Forward Operating Base Orgun-E Afghanistan DSN - 318 431 8001 VoSIP - (308) 431 - Iridium SatPhone - 717.633.3823 Roshain Mobile - 079 - 736 - 3832 Molōn labe! From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Wednesday, July 22, 2009 7:53 PM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) LOL, it worked.I knew that Shookie would have to make a comment about that when I typed it.;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook andy.sh...@peak10.com wrote: ME2 and I both do it, it's painless and works H…. Shook
RE: 2k3 message tracking
Followup. Anyone know anything about a browser called Crazy Browser at www.crazybrowser.com I found this browser listed in the w3svc1 log files referencing one of the accounts that sent out a bunch of the spam. Also, anyone ever hear of a way to send bulk email through owa. We have owa published through ISA 2006 but the backend exchange server is not published to the internet in any way so I'm thinking this problem wasn't an open relay issue. The one email I have looks like it originated within our exchange server. When I reset the password on the two accounts that were sending all the spam, it stopped and hasn't returned so the only conclusion I've come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Thursday, July 16, 2009 6:41 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Michael. I'm no exchange expert by any stretch of the imagination so here is the message tracking for one of the many spams. Any ideas if maybe I need to turn on/up some tracking options? From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Thursday, July 16, 2009 1:02 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking message tracking should show you where a message originated. what did it give you for the message reference by spamcop? From: Glen Johnson [gjohn...@vhcc.edu] Sent: Thursday, July 16, 2009 8:52 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae8 2z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I've looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn't say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated. image001.png
Re: 2k3 message tracking
Anything is possible when you are talking about a third-party browser rendering pages ala IE. I would ban it. http://www.pcworld.com/downloads/file/fid,23119-order,4-c,browsersclients/description.html -- ME2 On Tue, Jul 21, 2009 at 9:13 AM, Glen Johnsongjohn...@vhcc.edu wrote: Followup. Anyone know anything about a browser called Crazy Browser at www.crazybrowser.com I found this browser listed in the w3svc1 log files referencing one of the accounts that sent out a bunch of the spam. Also, anyone ever hear of a way to send bulk email through owa. We have owa published through ISA 2006 but the backend exchange server is not published to the internet in any way so I’m thinking this problem wasn’t an open relay issue. The one email I have looks like it originated within our exchange server. When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Thursday, July 16, 2009 6:41 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Michael. I’m no exchange expert by any stretch of the imagination so here is the message tracking for one of the many spams. Any ideas if maybe I need to turn on/up some tracking options? From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Thursday, July 16, 2009 1:02 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking message tracking should show you where a message originated. what did it give you for the message reference by spamcop? From: Glen Johnson [gjohn...@vhcc.edu] Sent: Thursday, July 16, 2009 8:52 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae82z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I’ve looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn’t say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated.
RE: 2k3 message tracking
When I reset the password on the two accounts that were sending all the spam, it stopped and hasn’t returned so the only conclusion I’ve come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
Re: 2k3 message tracking
Jason, What are these +AD4-, etc, codes about? They appear to represent high ascii. They are constantly in your emails, and other than being somewhat annoying when they are interjected into the middle of words (apostrophe use, etc). They are most annoying when they break the links that you post. -- ME2 On Tue, Jul 21, 2009 at 3:49 PM, Jason Gurtzjasongu...@npumail.com wrote: +AD4- When I reset the password on the two accounts that were sending all the +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up +AD4- with is that these two accounts got their password stolen, and then some +AD4- script or bot accessed their OWA account and sent all the spam. +AD4- +AD4- Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software +AH4-JasonG
RESEND: RE: 2k3 message tracking
[Looks like I'll give up on UTF with all the broken clients out theresorry for the inconvenience.] When I reset the password on the two accounts that were sending all the spam, it stopped and hasn't returned so the only conclusion I've come up with is that these two accounts got their password stolen, and then some script or bot accessed their OWA account and sent all the spam. Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter http://www.untangle.com/ in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: http://oss.lboro.ac.uk/kochi1.html I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
RE: 2k3 message tracking
Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae8 2z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I've looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn't say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated.
RE: 2k3 message tracking
If the message was originated using MAPI you will not be looking at a relaying issue. Make sure anti-virus is up to date on the PCs where those accounts are logged on (or have logged on since this issue started). If necessary, re-build the PCs completely. Have you looked in IIS logs, too? From: bounce-8600520-8066...@lyris.sunbelt-software.com [mailto:bounce-8600520-8066...@lyris.sunbelt-software.com] On Behalf Of Glen Johnson Sent: 16 July 2009 13:53 To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae82z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I've looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn't say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated.
RE: 2k3 message tracking
message tracking should show you where a message originated. what did it give you for the message reference by spamcop? From: Glen Johnson [gjohn...@vhcc.edu] Sent: Thursday, July 16, 2009 8:52 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae82z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I’ve looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn’t say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated.
RE: 2k3 message tracking
Michael. I'm no exchange expert by any stretch of the imagination so here is the message tracking for one of the many spams. Any ideas if maybe I need to turn on/up some tracking options? From: Michael B. Smith [mailto:mich...@owa.smithcons.com] Sent: Thursday, July 16, 2009 1:02 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking message tracking should show you where a message originated. what did it give you for the message reference by spamcop? From: Glen Johnson [gjohn...@vhcc.edu] Sent: Thursday, July 16, 2009 8:52 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking Followup. Anyone care to take a look at this report and help me figure out where it originated and how it got through our system? Vh-fs4 is our x-wall spam gateway in the report. Thanks in advance. Glen. http://www.spamcop.net/w3m?i=z4375098464z63297735500b0e4abee95f47f7adae8 2z From: Glen Johnson [mailto:gjohn...@vhcc.edu] Sent: Friday, July 10, 2009 10:28 PM To: MS-Exchange Admin Issues Subject: 2k3 message tracking I've looked in message tracking and also at the logs and cant find what I need. We have a client pc sending hundreds of spam emails through our exchange server. Nothing open directly from exchange to the internet except https for owa. Relaying is disabled except for 4 ips which are other servers. Anyway, we have frozen a ton of them in the SMTP queue and message tracking shows them but doesn't say where they originate. They originate from 2 different accounts and it is possible that both of these users have logged onto the same computer. Part time faculty and they all share several computers. Any suggestions appreciated. image001.png