• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

How do I monitor email traffic in Exchange to identify an unusually high traffic user?

I have a virus on our network that has infected a machine using outlook (with Exchange).  The virus is sending out spam through Exchange.  How can I moitor the number of messages going out each our per user in Exchange so that I can isolate the offending machine?
0
stogabill
Asked:
stogabill
  • 4
  • 3
  • 3
  • +1
1 Solution
 
peakpeakCommented:
You can enable message tracking, let it run for a while and then view all emails and sort on sender. You will easily see the most frequent sender.
http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
0
 
peakpeakCommented:
The sender might be forged but this is a start
0
 
tigermattCommented:
Just to point out, using message tracking will only work if users generally usew the same workstation. If many users use the infected machine then you will have trouble tracking it with message tracking.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
peakpeakCommented:
What's the nature of the spam? Is it the same subject line? You can sort on that too.
0
 
SembeeCommented:
Message tracking isn't workstation specific.
It shows all email messages that go through the Exchange server. When configured correctly it will show the sender and the recipient.
However to get the best results from message tracking you need to use third party tools to process the logs. Message tracking will give you all the information that you need to see what is happening.

However...
If you can see spam being sent through Exchange it will not be a workstation that is infected. Spammers do not use another server on the network to send their messages through. Malware has its own SMTP engine and will be sending out email directly.
If you are seeing the messages in the queues, then the problem is with the server itself. Either the machine is an open relay, is being used for NDR spam or your administrator account has been compromised and is doing authenticated relaying.

Provide more information on the diagnostics you have done to see the spam and we should be able to pin point which it is.
You can also look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 
stogabillAuthor Commented:
OK, I've set up message tracking.  I can see the spam in the log.  They are all messages from a spoofed user.  

It's going out to blocks of 50 people.  We think it's only one machine because it just started yesterday morning.

How can I narrow this down?
0
 
SembeeCommented:
I still doubt if it is a machine on your network. If you can see the spam in the message tracking logs then it is probably the server itself being attacked. If the Exchange server is being used to send spam then messages usually hang about in the queues, unless you are using a smart host.

I would check your relay settings to start with.

Simon.
0
 
tigermattCommented:
Just in addition to Sembee's post you can check whether the server is an open relay by using the following website: http://www.abuse.net/relay.html
You need to send an email to an address to register an account and get your password, then go back to the site and test your IP address/domain. Make sure you tick the box though if the email address you registered with is hosted on the server you're testing.
0
 
SembeeCommented:
Be really careful with online lookup tools. Most of them are attached to online blacklists. I personally prefer to test manually using telnet.

Simon.
0
 
stogabillAuthor Commented:
No open relay issues.  The log contains numerous entries similar to the following:
In the message tracking log:
The sender address shows up as notice@cscu.org
The Client-IP shows as 66.134.52.35

Any thoughts on a next step?

The log entry is below.

# Date      Time      client-ip      Client-hostname      Partner-Name      Server-hostname      server-IP      Recipient-Address      Event-ID      MSGID      Priority      Recipient-Report-Status      total-bytes      Number-Recipients      Origination-Time      Encryption      service-Version      Linked-MSGID      Message-Subject      Sender-Address
8/1/2007      16:4:30 GMT      66.134.52.35      User      -      ACKBAR      192.168.0.13      stitch2day@verizon.net      1020      ACKBARum03yMJiQTyfP00000120@mail.remingtongroup.com      1      0      4379      50      2007-7-31 11:30:47 GMT      0      Version: 6.0.3790.3959      -      -      notice@cscu.org
0
 
tigermattCommented:
Simon - I've never had a problem with that service, in fact it's the one recommended by the GRC website.
0
 
SembeeCommented:
The fact that Steve Gibson has recommended doesn't really mean a great deal. I wouldn't trust anything that Steve Gibson writes...
I wasn't picking holes in that specific site, but some of the online test tools do have links to the blacklist operators. You have no idea what they are doing with the information, so from a point of view of not making things worse than they are, I don't recommend the use of online tools.

Simon.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now