We help IT Professionals succeed at work.

Identifying the source LAN IP address of the email on exchange server ?

OCUBE
OCUBE asked
on
Medium Priority
535 Views
Last Modified: 2012-05-12
- we have SBS 2003 server
- exchange 2003 mail server - Version: 6.5.7638.1

we have instances where our public gateway gets blacklisted on some spam databases over internet.

Then we try to patch all our 20 computers on the network with Microsoft security patches and run a full scan on the network to remove any viruses.

One thing we have noticed is today we had 3000 emails in our exchange system manger Queue. And when I looked at it - i realized it was all spam and junk emails going out.

We deleted all the emails in the Queue.

Questions:
========

1) Is there a way from  SMTP logs or exchange log files we can look at to find the source internal Lan IP address or hostname of the PC in our network which is sending those emails out ?


2) We know for sure it might an infected PC - which might be sending spam emails out.  But I wanted to know the source PC IP address/hostname which has been sending 3000 spam emails  out through our exchange server.  This will help me fix the infected PC directly rather than going through 20 computers all at a time.

3)  Is there any tool which can alert us through email or give us a heads up saying - "HEY PC xyz is sending 1000 emails out " ?

Comment
Watch Question

Madan SharmaConsultant

Commented:
is your internet browsing ip and mail sending IP same ?
which anti spam security your are using for your exchange server ?

Author

Commented:


 Yes they are same.

 Symantec Mail Security for Microsoft Exchange 6
Madan SharmaConsultant
Commented:
that's the issue if your sending ip and browsing ip will be then there are 99% changes to listing your IP again & again because threats can send mail directly from the pc no need to use your exchange for sending spam as they directly have the static ip for it and as it the same with your exchange you think this is done by exchange while its done directly from pc. So first of all you need to use separate ip's for browsing and mail sending. it will 100/% solve out your issue.

or tightly secure all of your network pc's and server as well

Author

Commented:
Ok thanks for your advise

but for now is there a way to look at the smtp log and find te source LAN ip of emails going out ?
You also can consider blocking SMTP Outbound from all IPs other than your mail server. That will block any PCs infected from sending emails directly.

Author

Commented:
Let's say if our firewall is setup for smtp 25 open only for exchange. So spam emails would be going out from exchange server only.

Author

Commented:
Thanks

Explore More ContentExplore courses, solutions, and other research materials related to this topic.