stogabill
asked on
How do I monitor email traffic in Exchange to identify an unusually high traffic user?
I have a virus on our network that has infected a machine using outlook (with Exchange). The virus is sending out spam through Exchange. How can I moitor the number of messages going out each our per user in Exchange so that I can isolate the offending machine?
The sender might be forged but this is a start
Just to point out, using message tracking will only work if users generally usew the same workstation. If many users use the infected machine then you will have trouble tracking it with message tracking.
What's the nature of the spam? Is it the same subject line? You can sort on that too.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, I've set up message tracking. I can see the spam in the log. They are all messages from a spoofed user.
It's going out to blocks of 50 people. We think it's only one machine because it just started yesterday morning.
How can I narrow this down?
It's going out to blocks of 50 people. We think it's only one machine because it just started yesterday morning.
How can I narrow this down?
I still doubt if it is a machine on your network. If you can see the spam in the message tracking logs then it is probably the server itself being attacked. If the Exchange server is being used to send spam then messages usually hang about in the queues, unless you are using a smart host.
I would check your relay settings to start with.
Simon.
I would check your relay settings to start with.
Simon.
Just in addition to Sembee's post you can check whether the server is an open relay by using the following website: http://www.abuse.net/relay.html
You need to send an email to an address to register an account and get your password, then go back to the site and test your IP address/domain. Make sure you tick the box though if the email address you registered with is hosted on the server you're testing.
You need to send an email to an address to register an account and get your password, then go back to the site and test your IP address/domain. Make sure you tick the box though if the email address you registered with is hosted on the server you're testing.
Be really careful with online lookup tools. Most of them are attached to online blacklists. I personally prefer to test manually using telnet.
Simon.
Simon.
ASKER
No open relay issues. The log contains numerous entries similar to the following:
In the message tracking log:
The sender address shows up as notice@cscu.org
The Client-IP shows as 66.134.52.35
Any thoughts on a next step?
The log entry is below.
# Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address
8/1/2007 16:4:30 GMT 66.134.52.35 User - ACKBAR 192.168.0.13 stitch2day@verizon.net 1020 ACKBARum03yMJiQTyfP0000012 0@mail.rem ingtongrou p.com 1 0 4379 50 2007-7-31 11:30:47 GMT 0 Version: 6.0.3790.3959 - - notice@cscu.org
In the message tracking log:
The sender address shows up as notice@cscu.org
The Client-IP shows as 66.134.52.35
Any thoughts on a next step?
The log entry is below.
# Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address
8/1/2007 16:4:30 GMT 66.134.52.35 User - ACKBAR 192.168.0.13 stitch2day@verizon.net 1020 ACKBARum03yMJiQTyfP0000012
Simon - I've never had a problem with that service, in fact it's the one recommended by the GRC website.
The fact that Steve Gibson has recommended doesn't really mean a great deal. I wouldn't trust anything that Steve Gibson writes...
I wasn't picking holes in that specific site, but some of the online test tools do have links to the blacklist operators. You have no idea what they are doing with the information, so from a point of view of not making things worse than they are, I don't recommend the use of online tools.
Simon.
I wasn't picking holes in that specific site, but some of the online test tools do have links to the blacklist operators. You have no idea what they are doing with the information, so from a point of view of not making things worse than they are, I don't recommend the use of online tools.
Simon.
http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html