Link to home
Create AccountLog in
Avatar of pwindell
pwindellFlag for United States of America

asked on

Nigerian Scam "FBI Director Robert S. Mueller",...how to find infected Client?

I have a client that gets their Exchange Servers bombed with the Scam email mentioned in the subject.  The Exchange server that gets hit first with it is their second one that does not recevice directly from the internet.  While their first Exchange that actually sends/receives directly with the Internet only get the Scam Mail as it is being forwarded down to it from the Second Exchange.  

So it would appear that the Scam Mail is being generated internally by an infected client and passed directly to the Second Exchange over MAPI (Outlook).  The source email address is of course fake so that does not help locate the client.  It does not go into the user's Sent Items so we cannot find it by looking for a users "packet out" mailbox.  The Exchange Message Tracking features have not been helpful.  We have run server AV and Malware Scans (Symantec and Maywarebytes) and have come up empty handed.

Does anyone have any ideas how we can pin down the source and get it cleaneed up?  My next step is to try wireshark and try to find the offending traffic burried in an endless packet capture to try to find the source IP that will point to the infected machine.

Thanks guys!
Avatar of James
James
Flag of Ireland image

You could open the ports on your Router/Firewall for the LAN and you will be able to see which PC is cause the problem by the IP address.
ASKER CERTIFIED SOLUTION
Avatar of zgiuffria
zgiuffria

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of pwindell

ASKER

Opeing ports
There is no firewall between the Client and the Exchange.  This is not comming from the Internet,...it is comming from and infected client inside the LAN trying to send to the internet.  Most of the Clients are on the same subnet as the Exchange they are using,..it is a "direct shot".
Wireshark
Already have it.  Was looking for a better solution,...like maybe an ability within Exchange itself to tell us what Exchange (Outlook) Client it is comming from.
 
Avatar of zgiuffria
zgiuffria

Better than wiresharek?  That will be a hard one.
I'm saying you can check the ports on LAN through your Router/Firewall and you will be able to see which ip address is causing the most traffic.
Have you used netstat on the server to see who has the most connections?
The problem is...  The clients may not be using your exchange server to send the mail.  They may be sending through an external zombie mail server.  I had a client once that was sending through 150 different controlled email servers.
I mean better as in, "not a packet capture", that is I'm looking for a better "method", not "product",....better as in the ability of Exchange itself (not the machine, but probably the Exchange Server software itself) to simply show somewhere the IP, or machinename, or username,...of where the message was submitted from.  Surely there has to be a way somehow.
But wirshark has been installed on the Excahange machine in the event there is no other better method.
The problem is...  The clients may not be using your exchange server to send the mail.  They may be sending through an external zombie mail server.  I had a client once that was sending through 150 different controlled email servers.
No they are not.  I know this because the first Exchange Server they queue up on is the Exchange that cannot possibly send or receive anything, in either direction, with the Internet.   The only thing this Exchange can communicate with is the Clients and the Bridgehead Exchange.  The Bridgehead Exchange does not get these messages in the queues at all until the aforementioned Exchange queues them up first and then passes them to the BridgeHead Exchange in an attempt to send them outbound.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
On the first server (internal server) check the smtp relay list.
If it is enabled, remove all the entries after noting the ip addresses of the allow list.
If this stops the mail flow then, one of the ip address was the problem. (You can add them back one at a time to identify the culprit)
If not review the smtp log on the first server and look at the header for source name/address. This will point you to the right direction.

I suspect MAPI.  Earlier I had disabled all SMTP Relaying, so the Clients can only use MAPI,...my logic there was if the infection was pushing to the Exchange with SMTP it would stop it,...but it didn't stop
When I do Find in the Queue it shows the:
Message ID  (but that is based on the Exchange Server Name,..doesn't help find client)
Source Email Address (Fake)
Destination Email Address
Subject
And a few other non-relevant things.   If only it showed the Source Client IP# this would be over!
 
On the first server (internal server) check the smtp relay list.
If it is enabled, remove all the entries after noting the ip addresses of the allow list.
If this stops the mail flow then, one of the ip address was the problem. (You can add them back one at a time to identify the culprit)
If not review the smtp log on the first server and look at the header for source name/address. This will point you to the right direction.

I did that once and it kept flowing, that's why I thought it was comming through MAPI from an infected machine when the user opened Outlook,...but I would have throught Outlook would have stuck a copy of it in the Sent Items,...it didn't.  But I may try the whole again.  
I'll look through the SMTP Logs and see if I see anything.

SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
FDiskWizard:
if they are sending to Exchange via direct SMTP, the SMTP logs should point it out...
if sending through MAPI, the message tracking should show it...

Hunted on of them down in Message Tracking.  It showed comming from a Public IP#.  I'm not sure if I can trust that. The reason being that no Public IP# are allowed to Relay and this particular server has not even been configured by the Firewall to receive any SMTP communication from the Internet,...there is leterally no way to reach the server via SMTP from the Internet
FDiskWizard:
Oh... have you tried Exchmon?  Microsoft tool.

I'll check it out.
 
Your router is routing these packets, if you logging you will be able to view the traffic and see which host is causing the most traffic. This will be very apparent if there is viruses on the network.
JBond2010: Your router is routing these packets, if you logging you will be able to view the traffic and see which host is causing the most traffic. This will be very apparent if there is viruses on the network.  
This is no router or firewall between most of the Clients and the Exchange server in question.  Same subnet--straight shot---nothing in between them.
We might get lucky if it just happens to be one of the few clients that have to come across a VPN.
But I'm an outside consultant,...200 miles away,...and don't have access to that  remotely,...I'd have to be on sight.  One of the other guys can do it remotely though,...so I can have him do that if none of the other methods work out.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
JBond2010: This is what I've have done in the past. I have configure logging on port 25 and was able to acertain which host was causing the problem.  
I now have logging enabled on the SMTP Service which should give me the same thing.
I don't have access to any of their routers & firewalls so I can't apporach it from that angle.   There are those who have access, but I'm not going to push it to them until I think I have done all I can first.
None of those junk messages are happening at the moment,..they "come & go",..usually in the morning.  So we just have to wait and see now if any of the measure I have in place turn up anything between now and tomorrow.
Thanks for all your suggestions guys!
I'm out of here till tomorrow,...later!
This consulting work in this situation is my second "part-time" job.  The consultant I "work for" is dealing with it today so I may not know right away if it is solved. But I brought him up to speed with all we discussed and with the things I had tried up to now.

My full time job is the IT Manager at an NBC Affiliated TV Station, which is where I am right now.  I'm also an Experts-Exchange "expert" in other forums, and this is one of the first times I have asked any questions myself.  I think everyone did a good job here.  Thanks guys
.  
I'll leave it up tot he moderator to decid if he wants this in the Knowledgebase or not.