rcil_admin
asked on
Identifying Exchange Client IP
Our domain has been blacklisted and after some digging it looks like one of our user's address book may have been exploited. I turned on verbose logging on the send connector and all of the outbound messages are from one user. I disabled that user's network adapter on their workstation but the problem still persists. I was disappointed when I realized that the client machine's IP address is not in the SMTP log, only the local and remote mail servers.
So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?
So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I probably should have included this information. I am using ISA 2006 and have a rule that only allows SMTP to the internet from the mail server. When I look at monitoring on the ISA server, I see connections from the Exchange server's private address to internet addresses. When I look at SMTP logging on the exchange server, I can see the user that is originating the messages.
I agree, I have only seen these go out, outside of exchange. This is what prompted me to create the rule a while back. I'm not that great with packet sniffers but I will give that a shot.
I agree, I have only seen these go out, outside of exchange. This is what prompted me to create the rule a while back. I'm not that great with packet sniffers but I will give that a shot.
Confirm that ISA is actually blocking port 25 (SMTP) by attempting to telnet to external mail server over port 25. Have you changed password on user account in question? This SHOULD stop the SPAM. Also, at the server, run command NET SESSION, or go to Computer Management, Shared Folders, Sessions. This will display active connections, with user/computer/IP info.
ASKER
As it turns out, an infected PC was indeed sending SMTP to the internet. Not sure why but I had to move my access rule in ISA up in priority to correct it. Weird though, nothing has changed on the ISA server. I initially looked at the rule and saw that it was not disabled so I moved on. I should have used telnet from a client to test SMTP, I would have saved myself a lot of time by not trusting my eyes, first rule right?
Thanks for you help!
Thanks for you help!
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Also, if you know someone who received an email from that client, have them check the internet headers. It might be there.
I've had this happen before on a large client and I installed inboive and outbound spam filtering which detects this activity and blocks the spam from being delivered.
You can also activate a rure in your firewall that only accepts outgping email from Exchange. Most viruses don't send email out through the exchange system.
Hope this suggestions help.