Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Nigerian Scam "FBI Director Robert S. Mueller",...how to find infected Client?

Posted on 2010-11-10
21
Medium Priority
?
810 Views
Last Modified: 2012-05-10
I have a client that gets their Exchange Servers bombed with the Scam email mentioned in the subject.  The Exchange server that gets hit first with it is their second one that does not recevice directly from the internet.  While their first Exchange that actually sends/receives directly with the Internet only get the Scam Mail as it is being forwarded down to it from the Second Exchange.  

So it would appear that the Scam Mail is being generated internally by an infected client and passed directly to the Second Exchange over MAPI (Outlook).  The source email address is of course fake so that does not help locate the client.  It does not go into the user's Sent Items so we cannot find it by looking for a users "packet out" mailbox.  The Exchange Message Tracking features have not been helpful.  We have run server AV and Malware Scans (Symantec and Maywarebytes) and have come up empty handed.

Does anyone have any ideas how we can pin down the source and get it cleaneed up?  My next step is to try wireshark and try to find the offending traffic burried in an endless packet capture to try to find the source IP that will point to the infected machine.

Thanks guys!
0
Comment
Question by:pwindell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4
  • 4
  • +2
21 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 34104552
You could open the ports on your Router/Firewall for the LAN and you will be able to see which PC is cause the problem by the IP address.
0
 
LVL 4

Accepted Solution

by:
zgiuffria earned 500 total points
ID: 34104553
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104622
Opeing ports
There is no firewall between the Client and the Exchange.  This is not comming from the Internet,...it is comming from and infected client inside the LAN trying to send to the internet.  Most of the Clients are on the same subnet as the Exchange they are using,..it is a "direct shot".
Wireshark
Already have it.  Was looking for a better solution,...like maybe an ability within Exchange itself to tell us what Exchange (Outlook) Client it is comming from.
 
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 4

Expert Comment

by:zgiuffria
ID: 34104645
Better than wiresharek?  That will be a hard one.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34104654
I'm saying you can check the ports on LAN through your Router/Firewall and you will be able to see which ip address is causing the most traffic.
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34104660
Have you used netstat on the server to see who has the most connections?
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34104674
The problem is...  The clients may not be using your exchange server to send the mail.  They may be sending through an external zombie mail server.  I had a client once that was sending through 150 different controlled email servers.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104696
I mean better as in, "not a packet capture", that is I'm looking for a better "method", not "product",....better as in the ability of Exchange itself (not the machine, but probably the Exchange Server software itself) to simply show somewhere the IP, or machinename, or username,...of where the message was submitted from.  Surely there has to be a way somehow.
But wirshark has been installed on the Excahange machine in the event there is no other better method.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104742
The problem is...  The clients may not be using your exchange server to send the mail.  They may be sending through an external zombie mail server.  I had a client once that was sending through 150 different controlled email servers.
No they are not.  I know this because the first Exchange Server they queue up on is the Exchange that cannot possibly send or receive anything, in either direction, with the Internet.   The only thing this Exchange can communicate with is the Clients and the Bridgehead Exchange.  The Bridgehead Exchange does not get these messages in the queues at all until the aforementioned Exchange queues them up first and then passes them to the BridgeHead Exchange in an attempt to send them outbound.
0
 
LVL 12

Assisted Solution

by:FDiskWizard
FDiskWizard earned 1000 total points
ID: 34104824
Enable message tracking (On server properties in ESM) then you can track emails.
Then you can try message tracking under TOOLS.

Also, in ESM under diagnostics tab, enable logging for SMTP.  Oh, wait, I think you have to enable SMTP logging on the IIS/SMTP propeties MMC.
Exchange will log in event logs. IIS/SMTP will log in Windows\system32\Logfiles\SMTP....

Hunt them down and squash them :)

if they are sending to Exchange via direct SMTP, the SMTP logs should point it out...
if sending through MAPI, the message tracking should show it...

But you also said they get queued up... if you click on the queue, and FIND... what does the message properties show?
0
 
LVL 8

Expert Comment

by:rr1968
ID: 34104861
On the first server (internal server) check the smtp relay list.
If it is enabled, remove all the entries after noting the ip addresses of the allow list.
If this stops the mail flow then, one of the ip address was the problem. (You can add them back one at a time to identify the culprit)
If not review the smtp log on the first server and look at the header for source name/address. This will point you to the right direction.

0
 
LVL 29

Author Comment

by:pwindell
ID: 34104879
I suspect MAPI.  Earlier I had disabled all SMTP Relaying, so the Clients can only use MAPI,...my logic there was if the infection was pushing to the Exchange with SMTP it would stop it,...but it didn't stop
When I do Find in the Queue it shows the:
Message ID  (but that is based on the Exchange Server Name,..doesn't help find client)
Source Email Address (Fake)
Destination Email Address
Subject
And a few other non-relevant things.   If only it showed the Source Client IP# this would be over!
 
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104930
On the first server (internal server) check the smtp relay list.
If it is enabled, remove all the entries after noting the ip addresses of the allow list.
If this stops the mail flow then, one of the ip address was the problem. (You can add them back one at a time to identify the culprit)
If not review the smtp log on the first server and look at the header for source name/address. This will point you to the right direction.

I did that once and it kept flowing, that's why I thought it was comming through MAPI from an infected machine when the user opened Outlook,...but I would have throught Outlook would have stuck a copy of it in the Sent Items,...it didn't.  But I may try the whole again.  
I'll look through the SMTP Logs and see if I see anything.

0
 
LVL 12

Assisted Solution

by:FDiskWizard
FDiskWizard earned 1000 total points
ID: 34105667
Oh... have you tried Exchmon?  Microsoft tool.
It may show high amount of Operations and/or Bytes.
it refreshed info every 60 seconds.

It does show IP addresses... :)
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en
For Exchange 2000 - 2010
0
 
LVL 29

Author Comment

by:pwindell
ID: 34105687
FDiskWizard:
if they are sending to Exchange via direct SMTP, the SMTP logs should point it out...
if sending through MAPI, the message tracking should show it...

Hunted on of them down in Message Tracking.  It showed comming from a Public IP#.  I'm not sure if I can trust that. The reason being that no Public IP# are allowed to Relay and this particular server has not even been configured by the Firewall to receive any SMTP communication from the Internet,...there is leterally no way to reach the server via SMTP from the Internet
0
 
LVL 29

Author Comment

by:pwindell
ID: 34105701
FDiskWizard:
Oh... have you tried Exchmon?  Microsoft tool.

I'll check it out.
 
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34105715
Your router is routing these packets, if you logging you will be able to view the traffic and see which host is causing the most traffic. This will be very apparent if there is viruses on the network.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34105761
JBond2010: Your router is routing these packets, if you logging you will be able to view the traffic and see which host is causing the most traffic. This will be very apparent if there is viruses on the network.  
This is no router or firewall between most of the Clients and the Exchange server in question.  Same subnet--straight shot---nothing in between them.
We might get lucky if it just happens to be one of the few clients that have to come across a VPN.
But I'm an outside consultant,...200 miles away,...and don't have access to that  remotely,...I'd have to be on sight.  One of the other guys can do it remotely though,...so I can have him do that if none of the other methods work out.
0
 
LVL 15

Assisted Solution

by:JBond2010
JBond2010 earned 500 total points
ID: 34105862
This is what I've have done in the past. I have configure logging on port 25 and was able to acertain which host was causing the problem.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34106749
JBond2010: This is what I've have done in the past. I have configure logging on port 25 and was able to acertain which host was causing the problem.  
I now have logging enabled on the SMTP Service which should give me the same thing.
I don't have access to any of their routers & firewalls so I can't apporach it from that angle.   There are those who have access, but I'm not going to push it to them until I think I have done all I can first.
None of those junk messages are happening at the moment,..they "come & go",..usually in the morning.  So we just have to wait and see now if any of the measure I have in place turn up anything between now and tomorrow.
Thanks for all your suggestions guys!
I'm out of here till tomorrow,...later!
0
 
LVL 29

Author Closing Comment

by:pwindell
ID: 34111915
This consulting work in this situation is my second "part-time" job.  The consultant I "work for" is dealing with it today so I may not know right away if it is solved. But I brought him up to speed with all we discussed and with the things I had tried up to now.

My full time job is the IT Manager at an NBC Affiliated TV Station, which is where I am right now.  I'm also an Experts-Exchange "expert" in other forums, and this is one of the first times I have asked any questions myself.  I think everyone did a good job here.  Thanks guys
.  
I'll leave it up tot he moderator to decid if he wants this in the Knowledgebase or not.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question