• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 726
  • Last Modified:

Exchange System Manger, "Last Logged on By", and Spam.

I am trying to see if I have something in my Exchange Server that is sending internal Spam. I keep getting junk messages that appear to be coming from inside my organization. I cannot add the sender to the blocked sender list because supposedly they are internal. Not many just one or two every week or so. While looking around inside the Exchange System Manager, more specifically: Exchange System Manager>Domain>Servers>First Storage Group>Mailbox Store (Server)>Mailboxes I have a table listing my users, who logged them in, mailbox size, etc. Most of the users are listed as being last logged in by themselves (Domain\User1, Domain\User2, etc.) However, one of them is being shown as last logged in by "NT Authority\System." What does that mean? I am asking for two reasons, 1) it is different from all the others and 2) it happens to be one of the addresses affected by the periodic spam. If I am barking up the wrong tree what else should I be looking at?

Thank You,
Eric
0
esingleton
Asked:
esingleton
  • 4
  • 3
1 Solution
 
SembeeCommented:
That "Last Logged on by" is useless. \system means that the server has used the mailbox. It logs in to every account. Look at the server first thing in the morning before everyone is in and you will see most mailboxes will have that value.

With spam that is coming "from" internal users, does the message have SMTP headers? If so, it has come from outside. Common spammers trick to use the same domain for both the From and To line.

Simon.
0
 
esingletonAuthor Commented:
I am new to excahnge and just learning my way around it. I am aware of the Same Domain trick but thought this might be different.

After poking around this is what I found:

Internet Header:
"
Microsoft Mail Internet Headers Version 2.0
Received: from mail pickup service by mail.domain.com with Microsoft SMTPSVC; Tue, 6 Jun 2006 16:00:37 -0400
thread-index: AcaJo+BcgbR/k2v1TA+cDubZn07iqw==
Cc:
Bcc:
Return-Path: <faceless@bjdr.belpak.brest.by>
Envelope-to: user1@domain.com
Delivery-date: Tue, 06 Jun 2006 15:56:42 -0400
X-Originating-IP: 63.248.160.95 by smtp.74.131.186.126;  Tue, 06 Jun 2006 15:56:39 -0500
Message-ID: <000b01c689a3$e05cf1e0$0700a8c0@domain.net>
From: "Gabriela Hoskins" <user1@domain.com>
X-Mailer: Microsoft CDO for Exchange 2000
Reply-To: "Gabriela Hoskins" <user1@domain.com>
To: <user2@domain.com>,
      <user2@domain.com>
Subject: Passed over again for that promotion, no Degree?
Date: Tue, 6 Jun 2006 16:00:36 -0400
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
X-OriginalArrivalTime: 06 Jun 2006 20:00:37.0178 (UTC) FILETIME=[E0DB49A0:01C689A3]

I do not know who Gabriella Hoskins is and I don't suppose it matters.
0
 
SembeeCommented:
The presence of headers means the message came via SMTP.
Do any of the IP addresses in the header belong to you?
Are you using SBS with a POP3 connector, or having email delivered directly by SMTP?

Simon.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
esingletonAuthor Commented:
I do not recognize any of the IP addresses.

We are using SBS2003 with a POP3 Connector to retrieve mail.
0
 
SembeeCommented:
That explains the header content. It is coming in from outside, but the header content is being destroyed by the POP3 pickup.
Unfortunately as you are using POP3 connector your options are limited as the email has already been accepted. You might find that IMF will quarantine the message, but you probably need to look at investing in an antispam application that can deal with some of this stuff.

The IP addresses shown in the headers indicate...

63.248.160.95 belongs to Flashcom Inc.
74.131.186.126 belongs to Insight Communications Corp.

Simon.
0
 
esingletonAuthor Commented:
Sembee,

Thank you for your help. Are there any antispam applications that are designed for SBS2003 and Exchange? Any that you can recommend?
0
 
SembeeCommented:
Nothing specifically designed for SBS, because SBS is basically Exchange.

Recommending those types of applications is close to impossible, because each site gets different types of spam and also gets different types of email messages. I have one client who deal with financial products (loans, mortgages etc) and lots of home based brokers. So you get emails coming in from AOL and Hotmail accounts with loans and mortgages in the content. We couldn't find an antispam application that could cope and ended up getting an outsourced solution custom built.

Most of the antispam applications have a trial version. Get hold of them, but them in to report only mode and see what they come up with.
You could start with IMF, which is built in to Exchange 2003 SP2 (if you aren't on SP2 for Exchange, then get it installed). http://www.msexchange.org/tutorials/Intelligent-Message-Filter-version-2-IMF-v2.html

For applications, take a look at
GFI Mail Essentials
Sunbelt Software I Hate Spam (now called Ninja or something like that)
Vamsoft ORF

There are others, but those are the three I come across most often.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now