Solved

Nigerian Scam "FBI Director Robert S. Mueller",...how to find infected Client?

Posted on 2010-11-10
21
803 Views
Last Modified: 2012-05-10
I have a client that gets their Exchange Servers bombed with the Scam email mentioned in the subject.  The Exchange server that gets hit first with it is their second one that does not recevice directly from the internet.  While their first Exchange that actually sends/receives directly with the Internet only get the Scam Mail as it is being forwarded down to it from the Second Exchange.  

So it would appear that the Scam Mail is being generated internally by an infected client and passed directly to the Second Exchange over MAPI (Outlook).  The source email address is of course fake so that does not help locate the client.  It does not go into the user's Sent Items so we cannot find it by looking for a users "packet out" mailbox.  The Exchange Message Tracking features have not been helpful.  We have run server AV and Malware Scans (Symantec and Maywarebytes) and have come up empty handed.

Does anyone have any ideas how we can pin down the source and get it cleaneed up?  My next step is to try wireshark and try to find the offending traffic burried in an endless packet capture to try to find the source IP that will point to the infected machine.

Thanks guys!
0
Comment
Question by:pwindell
  • 10
  • 4
  • 4
  • +2
21 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 34104552
You could open the ports on your Router/Firewall for the LAN and you will be able to see which PC is cause the problem by the IP address.
0
 
LVL 4

Accepted Solution

by:
zgiuffria earned 125 total points
ID: 34104553
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104622
Opeing ports
There is no firewall between the Client and the Exchange.  This is not comming from the Internet,...it is comming from and infected client inside the LAN trying to send to the internet.  Most of the Clients are on the same subnet as the Exchange they are using,..it is a "direct shot".
Wireshark
Already have it.  Was looking for a better solution,...like maybe an ability within Exchange itself to tell us what Exchange (Outlook) Client it is comming from.
 
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34104645
Better than wiresharek?  That will be a hard one.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34104654
I'm saying you can check the ports on LAN through your Router/Firewall and you will be able to see which ip address is causing the most traffic.
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34104660
Have you used netstat on the server to see who has the most connections?
0
 
LVL 4

Expert Comment

by:zgiuffria
ID: 34104674
The problem is...  The clients may not be using your exchange server to send the mail.  They may be sending through an external zombie mail server.  I had a client once that was sending through 150 different controlled email servers.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104696
I mean better as in, "not a packet capture", that is I'm looking for a better "method", not "product",....better as in the ability of Exchange itself (not the machine, but probably the Exchange Server software itself) to simply show somewhere the IP, or machinename, or username,...of where the message was submitted from.  Surely there has to be a way somehow.
But wirshark has been installed on the Excahange machine in the event there is no other better method.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104742
The problem is...  The clients may not be using your exchange server to send the mail.  They may be sending through an external zombie mail server.  I had a client once that was sending through 150 different controlled email servers.
No they are not.  I know this because the first Exchange Server they queue up on is the Exchange that cannot possibly send or receive anything, in either direction, with the Internet.   The only thing this Exchange can communicate with is the Clients and the Bridgehead Exchange.  The Bridgehead Exchange does not get these messages in the queues at all until the aforementioned Exchange queues them up first and then passes them to the BridgeHead Exchange in an attempt to send them outbound.
0
 
LVL 12

Assisted Solution

by:FDiskWizard
FDiskWizard earned 250 total points
ID: 34104824
Enable message tracking (On server properties in ESM) then you can track emails.
Then you can try message tracking under TOOLS.

Also, in ESM under diagnostics tab, enable logging for SMTP.  Oh, wait, I think you have to enable SMTP logging on the IIS/SMTP propeties MMC.
Exchange will log in event logs. IIS/SMTP will log in Windows\system32\Logfiles\SMTP....

Hunt them down and squash them :)

if they are sending to Exchange via direct SMTP, the SMTP logs should point it out...
if sending through MAPI, the message tracking should show it...

But you also said they get queued up... if you click on the queue, and FIND... what does the message properties show?
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 8

Expert Comment

by:rr1968
ID: 34104861
On the first server (internal server) check the smtp relay list.
If it is enabled, remove all the entries after noting the ip addresses of the allow list.
If this stops the mail flow then, one of the ip address was the problem. (You can add them back one at a time to identify the culprit)
If not review the smtp log on the first server and look at the header for source name/address. This will point you to the right direction.

0
 
LVL 29

Author Comment

by:pwindell
ID: 34104879
I suspect MAPI.  Earlier I had disabled all SMTP Relaying, so the Clients can only use MAPI,...my logic there was if the infection was pushing to the Exchange with SMTP it would stop it,...but it didn't stop
When I do Find in the Queue it shows the:
Message ID  (but that is based on the Exchange Server Name,..doesn't help find client)
Source Email Address (Fake)
Destination Email Address
Subject
And a few other non-relevant things.   If only it showed the Source Client IP# this would be over!
 
0
 
LVL 29

Author Comment

by:pwindell
ID: 34104930
On the first server (internal server) check the smtp relay list.
If it is enabled, remove all the entries after noting the ip addresses of the allow list.
If this stops the mail flow then, one of the ip address was the problem. (You can add them back one at a time to identify the culprit)
If not review the smtp log on the first server and look at the header for source name/address. This will point you to the right direction.

I did that once and it kept flowing, that's why I thought it was comming through MAPI from an infected machine when the user opened Outlook,...but I would have throught Outlook would have stuck a copy of it in the Sent Items,...it didn't.  But I may try the whole again.  
I'll look through the SMTP Logs and see if I see anything.

0
 
LVL 12

Assisted Solution

by:FDiskWizard
FDiskWizard earned 250 total points
ID: 34105667
Oh... have you tried Exchmon?  Microsoft tool.
It may show high amount of Operations and/or Bytes.
it refreshed info every 60 seconds.

It does show IP addresses... :)
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en
For Exchange 2000 - 2010
0
 
LVL 29

Author Comment

by:pwindell
ID: 34105687
FDiskWizard:
if they are sending to Exchange via direct SMTP, the SMTP logs should point it out...
if sending through MAPI, the message tracking should show it...

Hunted on of them down in Message Tracking.  It showed comming from a Public IP#.  I'm not sure if I can trust that. The reason being that no Public IP# are allowed to Relay and this particular server has not even been configured by the Firewall to receive any SMTP communication from the Internet,...there is leterally no way to reach the server via SMTP from the Internet
0
 
LVL 29

Author Comment

by:pwindell
ID: 34105701
FDiskWizard:
Oh... have you tried Exchmon?  Microsoft tool.

I'll check it out.
 
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 34105715
Your router is routing these packets, if you logging you will be able to view the traffic and see which host is causing the most traffic. This will be very apparent if there is viruses on the network.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34105761
JBond2010: Your router is routing these packets, if you logging you will be able to view the traffic and see which host is causing the most traffic. This will be very apparent if there is viruses on the network.  
This is no router or firewall between most of the Clients and the Exchange server in question.  Same subnet--straight shot---nothing in between them.
We might get lucky if it just happens to be one of the few clients that have to come across a VPN.
But I'm an outside consultant,...200 miles away,...and don't have access to that  remotely,...I'd have to be on sight.  One of the other guys can do it remotely though,...so I can have him do that if none of the other methods work out.
0
 
LVL 15

Assisted Solution

by:JBond2010
JBond2010 earned 125 total points
ID: 34105862
This is what I've have done in the past. I have configure logging on port 25 and was able to acertain which host was causing the problem.
0
 
LVL 29

Author Comment

by:pwindell
ID: 34106749
JBond2010: This is what I've have done in the past. I have configure logging on port 25 and was able to acertain which host was causing the problem.  
I now have logging enabled on the SMTP Service which should give me the same thing.
I don't have access to any of their routers & firewalls so I can't apporach it from that angle.   There are those who have access, but I'm not going to push it to them until I think I have done all I can first.
None of those junk messages are happening at the moment,..they "come & go",..usually in the morning.  So we just have to wait and see now if any of the measure I have in place turn up anything between now and tomorrow.
Thanks for all your suggestions guys!
I'm out of here till tomorrow,...later!
0
 
LVL 29

Author Closing Comment

by:pwindell
ID: 34111915
This consulting work in this situation is my second "part-time" job.  The consultant I "work for" is dealing with it today so I may not know right away if it is solved. But I brought him up to speed with all we discussed and with the things I had tried up to now.

My full time job is the IT Manager at an NBC Affiliated TV Station, which is where I am right now.  I'm also an Experts-Exchange "expert" in other forums, and this is one of the first times I have asked any questions myself.  I think everyone did a good job here.  Thanks guys
.  
I'll leave it up tot he moderator to decid if he wants this in the Knowledgebase or not.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now