[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

How do I view logs on exchange server

I have an exchange server which sits behind a SonicWall TZ180 firewall. I have had some problems with being used as a spam relay and getting my IP blacklisted. I got control of the problem and then set myself up for outbound mail filtering thru messagelabs which acts as a relay to the outside world.

Problem is, somehow my system got compromised again, and message labs sent me a message about it and then shut down my outgoing smtp mail.

I already checked my netowrk for viruses. I use symantec endpoint protection. There have been no infections. I suspect one of my users has a compormised account and someone has the username and password, and the account is allowing entry into our system. I need to know how to find the problem.

Please see the email from messagelabs below:

Full investigation needs to be performed towards your mail logs to investigate any and all other user accounts which are being abused via SMTP Authentication. Furthermore all of your mail server(s) and/or firewall should ONLY allow tcp port 25 connections (SMTP) from MessageLabs' IP space. The complete MessageLabs' Global IP ranges are located at http://imageserver.messagelabs.com/EmailResources/ImplementationGuides/Subnet_IP.pdf

Here are sample headers:

X-VirusChecked: Checked

X-Env-Sender: *.uk

X-Msg-Ref: server-*1234384048!34060013!1

X-StarScan-Version: 6.0.0; banners=.,-,-

X-Originating-IP: [*]

Received: (qmail 8745 invoked from network); 11 Feb 2009 20:27:30 -0000

Received: from exchange.epsteinplasticsurgery.com (HELO exchange.epsteinplasticsurgery.local) (*)

  by server*.com with SMTP; 11 Feb 2009 20:27:30 -0000

Received: from User ([*]) by exchange.*.local with Microsoft SMTPSVC(6.0.3790.3959);

         Wed, 11 Feb 2009 15:27:28 -0500

From: "*>

Subject: New Lloyds security measures - Read carefully!

Date: Wed, 11 Feb 2009 21.27.29 +0100

MIME-Version: 1.0

Content-Type: multipart/mixed;

        boundary="----=_NextPart_000_001F_01C2A9A6.0D8199B6"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Bcc:

Return-Path: *.uk

Message-ID: <EXCHANGEr3mbfJ8VrRQ00000753@exchange.*.local>

X-OriginalArrivalTime: 11 Feb 2009 20:27:28.0590 (UTC) FILETIME=[2891FEE0:01C98C87]

 

 

X-VirusChecked: Checked
X-Env-Sender:*
X-Msg-Ref: server-*.com!1234385607!43342926!1
X-StarScan-Version: 6.0.0; banners=.,-,-
X-Originating-IP: [*]
Received: (qmail 29722 invoked from network); 11 Feb 2009 20:53:27 -0000
Received: from exchange.*.com (HELO exchange.*.local) (67.100.148.66)
  by serve*.com with SMTP; 11 Feb 2009 20:53:27 -0000
Received: from User ([80.117.129.54]) by exchange*.local with Microsoft SMTPSVC(6.0.3790.3959);
         Wed, 11 Feb 2009 15:53:26 -0500
From: *
Subject: New Lloyds security measures - Read carefully!
Date: Wed, 11 Feb 2009 21.53.28 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_011B_01C2A9A6.0CD85098"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: *
Message-ID: <EXCHANGEA5glyT5nfbI000007b3@exchange.*.local>
X-OriginalArrivalTime: 11 Feb 2009 20:53:26.0675 (UTC) FILETIME=[C942E630:01C98C8A]
0
M_Epstein
Asked:
M_Epstein
2 Solutions
 
jonhicksCommented:
You can turn on logging on your SMTP virtual server and this will log to c:\windows\logfiles\smtpsvc or c:\windows\system32\logfiles\smtpsvc. If you choose the default W3C logging.

You should restrict access to your smtp virtual server and also lock down access to it from the Internet by configuring a rule on your TZ180 - as requested by MessageLabs.
0
 
MesthaCommented:
The message came off your Exchange server, so it is not an infection on your network. The message was bounced off your server by an external host. That means you cannot have setup up the restrictions on your SMTP ports or SMTP virtual server as Message Labs normally request.

The usual compromise is authenticated relaying - the administrator account is used. Therefore if you haven't already then change the administrator password and restart the SMTP server service. Then lock down the server as asked for.

-M
0
 
M_EpsteinAuthor Commented:
Both good suggestions, thank you.

0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Tackle projects and never again get stuck behind a technical roadblock.
Join Now