troubleshooting Question

Nigerian Scam "FBI Director Robert S. Mueller",...how to find infected Client?

Avatar of pwindell
pwindellFlag for United States of America asked on
ExchangeAnti-Spyware
21 Comments4 Solutions861 ViewsLast Modified:
I have a client that gets their Exchange Servers bombed with the Scam email mentioned in the subject.  The Exchange server that gets hit first with it is their second one that does not recevice directly from the internet.  While their first Exchange that actually sends/receives directly with the Internet only get the Scam Mail as it is being forwarded down to it from the Second Exchange.  

So it would appear that the Scam Mail is being generated internally by an infected client and passed directly to the Second Exchange over MAPI (Outlook).  The source email address is of course fake so that does not help locate the client.  It does not go into the user's Sent Items so we cannot find it by looking for a users "packet out" mailbox.  The Exchange Message Tracking features have not been helpful.  We have run server AV and Malware Scans (Symantec and Maywarebytes) and have come up empty handed.

Does anyone have any ideas how we can pin down the source and get it cleaneed up?  My next step is to try wireshark and try to find the offending traffic burried in an endless packet capture to try to find the source IP that will point to the infected machine.

Thanks guys!
ASKER CERTIFIED SOLUTION
zgiuffria

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 4 Answers and 21 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 4 Answers and 21 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros