Nigerian Scam "FBI Director Robert S. Mueller",...how to find infected Client?
Posted on 2010-11-10
I have a client that gets their Exchange Servers bombed with the Scam email mentioned in the subject. The Exchange server that gets hit first with it is their second one that does not recevice directly from the internet. While their first Exchange that actually sends/receives directly with the Internet only get the Scam Mail as it is being forwarded down to it from the Second Exchange.
So it would appear that the Scam Mail is being generated internally by an infected client and passed directly to the Second Exchange over MAPI (Outlook). The source email address is of course fake so that does not help locate the client. It does not go into the user's Sent Items so we cannot find it by looking for a users "packet out" mailbox. The Exchange Message Tracking features have not been helpful. We have run server AV and Malware Scans (Symantec and Maywarebytes) and have come up empty handed.
Does anyone have any ideas how we can pin down the source and get it cleaneed up? My next step is to try wireshark and try to find the offending traffic burried in an endless packet capture to try to find the source IP that will point to the infected machine.