tools/processes for analizing spear phishing smtp messages - incident response

I’ve detected multiple spear phishing attempts against my organization. We are forming a security/incident response process. Other than header information from the spear phishing smtp messages, are there others tools or online resources that can assist us in determining the legitimacy of these smtp messages or tracking their origin or ? Additionally, most of these emails have a link to a bogus site that installs a Trojan or bot in the background. If a user’s machine should become infected, what’s the best course of action for detecting the malware and discovering know research on the malware to determine its threat severity?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
what exchange version do you have?
DEFclubAuthor Commented:
exch 2003 and 2010
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
i think its better to have anti spam for your exchange , all solutions can not eliminate the spams but i have other way , but you can try

to forward all your traffic before handle them to this site it will block the spams

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Most spear phishing I've seen recently have been used to install remote network administration utilities onto the PC.  They use signed code, provide remote access/remote administration, and they will escape detection by ALL antivirus and antimalware scanners.

It used to be Dameware NT utilities that I saw installed. Nowadays it is LabTech Software. A prepackaged silent install of legit software...  it is simple, and effective.

Google "C:\WINDOWS\LTSvc\LTSVC.exe" and you'll see plenty of people that have posted their HijackThis output log - frustrated beyond measure about how their machine keeps getting re-infected and they can't figure out how it is happening.
DEFclubAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.