Solved

track email sender in exchange

Posted on 2008-10-08
21
905 Views
Last Modified: 2013-12-17
Our external IP is blocked due to infected user. I thought it was fixed, but I was wrong. How do I use exchange (or anything else) to find out what computer is infected? Shouldn't I see a sender with a high volume of outgoing emails? I'm at a total loss here....

I am running server 2003 sp2 and exchange 2003  Obviously with all ouotgoing email shut down this is a huge problem. Thanks for any help!

Darren
0
Comment
Question by:PurpleWine
  • 10
  • 5
  • 3
  • +3
21 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22669622
First thing you should do is scan all your computers for virus or adaware / spy ware...then you need to get yourself off of all the blacklist.
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22669655
Yeah, I thought I had done that yesturday, but I'm blacklisted again this morning. We have sales people that plug in with laptops, so it could be someone not even here now. That's why I need to find a way to look at what is going out causing us to get blacklisted... I can't find the machine with the problem....
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 22669659
the outgoing queue on exchange should show all the messages queued to go out.
The from address is probably spoofed, but you may be able to see better.
Check also that you arent an open relay - an external user could be using your server to send.
There are numerous web sites you can go to that will check your IP.

Also - most spyware/virus sends using smtp - with exchange there is typically very little reason to allow smtp listening internally (unless you have a device like a scanner or copier that sends via smtp)
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22669945
So no way in exchange to find the internal IP or the account name that messages are coming from?

All I see are meesages in que with no usfull info attached.
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 22670022
if you double click on the queue and go then go find you will get more info.
the messages can also be found in one of the queue folders and you can often open them with outlook express - I would recommend opening with notepad as if they do contain a virus you dont want to open them properly.
Then you can browse the message for a little more header info.
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22670095
I just don't see that. (I'm not knowledgable with exchange)  This is where I am working....
exchange.jpg
0
 
LVL 20

Expert Comment

by:wolfcamel
ID: 22670192
postmaster messages are often replies to spam received for users that dont exist - you can turn of non delivery reports however then if a legitimate message comes in for a user with a simple typo in the name then the sender will think it was received.
The real solution is a proper antispam product such as Symantec mail security.
but back to your problem if we assume there are still messages coming from internally.

find the folder typically c:\program files\exchsrvr\mailroot\vsi 1\queue and open up a few of the files in notepad and look for some clues.
0
 
LVL 16

Accepted Solution

by:
robrandon earned 500 total points
ID: 22670219
Download LogParser from Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Copy your most current transaction log the Log Parser folder and run this command:

logparser -q -i:w3c "select Client-IP, count(*) from 20080713.log GROUP BY Client-IP ORDER BY count(*) desc" > output.txt


Open the output.txt file.  It will show the IP address of the computers that have sent emails through your mail server, sorted by the 2nd column which shows how many entries appear in the transaction log.

Find the computer with that IP.

0
 
LVL 1

Expert Comment

by:Valkryii
ID: 22670565
Another suggestion could be to block outgoing traffic on port 25 on your firewall, except from your exchange server.  This should block any infected PC attempting send out from inside.  You can also check the firewall log for any internal PC being blocked on port 25, which should help narrow things down.  Keep in mind if some clients don't use exchange for e-mail, and are popping their mail this will stop their outbound e-mail flow.  That would give you a starting point atleast.  Hope this helps.
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22670764
First, thanks for everyone's help!

Rob, that is exactly what I'm looking for. Now the horrible question... (as I mentioned I'm not an exchange person at all)  

Where is the transaction I'm looking for?

Thanks!

Darren
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 16

Expert Comment

by:robrandon
ID: 22670784
Go into the Exchange System Manager program and drill down to your Exchange Server.  Right click it and choose Properties.

The log file directory is listed on the General tab.

If Message Tracking is not enabled (see the checkboxes) you won't have any logs.  :(

0
 
LVL 3

Author Closing Comment

by:PurpleWine
ID: 31504260
Was not enabled, but that's ok. I enabled it and pointed it where I want it. So I can watch from here. Good thing to get going anyway. Thanks for the help guys!
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22670984
So... these are all outside IP's....

What is the one at the top with no ip?
 It has over 700 in just a few minutes...
log.jpg
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22671350
Hmmm, try this:

logparser -q -i:w3c "SELECT * from 20080713.log WHERE Client-IP IS NULL" > output.txt

Does that return any rows or is it empty?



0
 
LVL 16

Expert Comment

by:robrandon
ID: 22671370
You've confirmed you aren't an open relay, right?
http://www.amset.info/exchange/smtp-openrelay.asp

0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22671864
Ok:

Client-IP IS Null  

gave me at ton of crazy info. Looks actually good, too much personal user info to post here. Lot's of postmaster@ourdomain.com    that looks bad...

As to the open relay, when I run   open our.external.IP 25    it says can't connect to server. I'm running that ON the server... Not sure where to go from there.

Though with those postmaster emails I';m kinda thinking we must be open?
0
 
LVL 16

Expert Comment

by:robrandon
ID: 22671950
You may have to try that from a computer connected to the outside of your network.

Otherwise, just use the internal IP of the mail server.
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22671997
We are relay secure :)
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22672058
Though with this logparser, I've found some interesting things. Which brings up another question.... Can I block IP's in Exchange? Or should that be done through the PIX? I've got some russian site sending a BUNCH...

Hey, and thanks for all your help. I (we) really appreciate it!

Darren
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 22672079
Why not do a simple test

telnet Exchange.MyDomain.com 25
Ehlo
Mail From: Administrator@mydomain.com
Rcpt to: Administrator@yahoo.com
Data
Test Email
.
Quit

If you complete all these steps - be rest assured your box is open for relay

If you find a message "Unable to relay" - right after you hit enter after
"Rcpt to: Administrator@yahoo.com"

That is a good sign.
0
 
LVL 3

Author Comment

by:PurpleWine
ID: 22672122
Sorry, that's what I meant by my message above.  "we are relay secure"

we are not an open relay. After switching to our internal IP I did get the 'unable to relay' after the Rcpt to:  test.


So we are good on this part.

I was just wondering if I can block IP's in Exchange based on the report I see in logparser.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now