rcil_admin
asked on
Identifying Exchange Client IP
Our domain has been blacklisted and after some digging it looks like one of our user's address book may have been exploited. I turned on verbose logging on the send connector and all of the outbound messages are from one user. I disabled that user's network adapter on their workstation but the problem still persists. I was disappointed when I realized that the client machine's IP address is not in the SMTP log, only the local and remote mail servers.
So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?
So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I probably should have included this information. I am using ISA 2006 and have a rule that only allows SMTP to the internet from the mail server. When I look at monitoring on the ISA server, I see connections from the Exchange server's private address to internet addresses. When I look at SMTP logging on the exchange server, I can see the user that is originating the messages.
I agree, I have only seen these go out, outside of exchange. This is what prompted me to create the rule a while back. I'm not that great with packet sniffers but I will give that a shot.
I agree, I have only seen these go out, outside of exchange. This is what prompted me to create the rule a while back. I'm not that great with packet sniffers but I will give that a shot.
Confirm that ISA is actually blocking port 25 (SMTP) by attempting to telnet to external mail server over port 25. Have you changed password on user account in question? This SHOULD stop the SPAM. Also, at the server, run command NET SESSION, or go to Computer Management, Shared Folders, Sessions. This will display active connections, with user/computer/IP info.
ASKER
As it turns out, an infected PC was indeed sending SMTP to the internet. Not sure why but I had to move my access rule in ISA up in priority to correct it. Weird though, nothing has changed on the ISA server. I initially looked at the rule and saw that it was not disabled so I moved on. I should have used telnet from a client to test SMTP, I would have saved myself a lot of time by not trusting my eyes, first rule right?
Thanks for you help!
Thanks for you help!
Also, if you know someone who received an email from that client, have them check the internet headers. It might be there.
I've had this happen before on a large client and I installed inboive and outbound spam filtering which detects this activity and blocks the spam from being delivered.
You can also activate a rure in your firewall that only accepts outgping email from Exchange. Most viruses don't send email out through the exchange system.
Hope this suggestions help.