Identifying Exchange Client IP

rcil_admin
rcil_admin used Ask the Experts™
on
Our domain has been blacklisted and after some digging it looks like one of our user's address book may have been exploited. I turned on verbose logging on the send connector and all of the outbound messages are from one user. I disabled that user's network adapter on their workstation but the problem still persists. I was disappointed when I realized that the client machine's IP address is not in the SMTP log, only the local and remote mail servers.

So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You might try tracking the email activity through Exchange System Manager. Use the user's email  address in the sender's field and see if the IP is included.

Also, if you know someone who received an email from that client, have them check the internet headers. It might be there.

I've had this happen before on a large client and I installed inboive and outbound spam filtering which detects this activity and blocks the spam from being delivered.

You can also activate a rure in your firewall that only accepts outgping email from Exchange. Most viruses don't send email out through the exchange system.

Hope this suggestions help.
More than likely, one of the PCs on the network is infected, and sending out spam independent of Exchange.  Best bet would be to monitor traffic passing through your firewall (you'll also want to limit outbound SMTP on the firewall to your Exchange server while you're at it).  Alternatively, get Wireshark or similar to watch traffic going across your network.

Author

Commented:
I probably should have included this information. I am using ISA 2006 and have a rule that only allows SMTP to the internet from the mail server. When I look at monitoring on the ISA server, I see connections from the Exchange server's private address to internet addresses. When I look at SMTP logging on the exchange server, I can see the user that is originating the messages.

I agree, I have only seen these go out, outside of exchange. This is what prompted me to create the rule a while back. I'm not that great with packet sniffers but I will give that a shot.
Confirm that ISA is actually blocking port 25 (SMTP) by attempting to telnet to external mail server over port 25.  Have you changed password on user account in question?  This SHOULD stop the SPAM.  Also, at the server, run command NET SESSION, or go to Computer Management, Shared Folders, Sessions.  This will display active connections, with user/computer/IP info.  

Author

Commented:
As it turns out, an infected PC was indeed sending SMTP to the internet. Not sure why but I had to move my access rule in ISA up in priority to correct it. Weird though, nothing has changed on the ISA server. I initially looked at the rule and saw that it was not disabled so I moved on. I should have used telnet from a client to test SMTP, I would have saved myself a lot of time by not trusting my eyes, first rule right?

Thanks for you help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial