Solved

Searching Exchange Logs for SPAM

Posted on 2014-01-02
3
263 Views
Last Modified: 2014-01-10
Over the holiday break, our email server was flagged on 3 RBL sites.  I am in the process of having them removed, but need to figure out what caused the issue.  I know that the email server does not support relaying, so I'm thinking one of the workstations might have a virus/malware/torjan.

I want to figure out where the SPAM originated from (workstation, user mailbox, etc.), but I have no time stamp, no recipient list, and no Mail From.  I checked the file size of the log files, but they only vary by a few 100KB.

Does anyone have any suggestions?  We are running Exchange 2010, and right now, I'm focusing on the SMTPSend ProtocolLogs.  Oh, this is running on Windows SBS 2011 if that matters.
0
Comment
Question by:rdege
3 Comments
 
LVL 4

Accepted Solution

by:
XCONBLR earned 400 total points
ID: 39752427
Run Process Tracking Log analyser on the Exchange server against the message tracking logs.
It might tell you who sent the largest number of emails and other information which will help you get to the root cause.

http://blogs.technet.com/b/exchange/archive/2011/10/21/updated-process-tracking-log-ptl-tool-for-use-with-exchange-2007-and-exchange-2010.aspx

Also once you find out who sent the largest number of email, check for their machine being affected with any virus/trojan
0
 
LVL 2

Assisted Solution

by:FocIS
FocIS earned 100 total points
ID: 39752442
XCONBLR has the right solution but i wanted to add this:

We went thru this a few weeks ago, and it had nothing to do with the users workstation.  She had clicked a phishing link and typed in her email address and password.  Since that day, for the next three days, a botnet was sending mail as the user, thru our server, from random countries, just by using SMTP.

So even if the users machine is clean, make sure to change their password as soon as you find out who it is.

If it's still happening, you can certainly monitor the packets by using Wireshark, looking for anything weird (emails after hours, destination email addresses you dont recognize as normal, etc).  

Sending a huge amount of emails will almost always result in lots of outbound queues for non-existing addresses.. have you had a look in the queue viewer to see what's retrying over and over?  You should be able to open each entry enough to see the sender.
0
 
LVL 1

Author Comment

by:rdege
ID: 39772246
Thank you for the assistance.  I was able to locate the user account that was causing the issues, along with the facebook app that was generating the emails.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question