Solved

Searching Exchange Logs for SPAM

Posted on 2014-01-02
3
258 Views
Last Modified: 2014-01-10
Over the holiday break, our email server was flagged on 3 RBL sites.  I am in the process of having them removed, but need to figure out what caused the issue.  I know that the email server does not support relaying, so I'm thinking one of the workstations might have a virus/malware/torjan.

I want to figure out where the SPAM originated from (workstation, user mailbox, etc.), but I have no time stamp, no recipient list, and no Mail From.  I checked the file size of the log files, but they only vary by a few 100KB.

Does anyone have any suggestions?  We are running Exchange 2010, and right now, I'm focusing on the SMTPSend ProtocolLogs.  Oh, this is running on Windows SBS 2011 if that matters.
0
Comment
Question by:rdege
3 Comments
 
LVL 4

Accepted Solution

by:
XCONBLR earned 400 total points
ID: 39752427
Run Process Tracking Log analyser on the Exchange server against the message tracking logs.
It might tell you who sent the largest number of emails and other information which will help you get to the root cause.

http://blogs.technet.com/b/exchange/archive/2011/10/21/updated-process-tracking-log-ptl-tool-for-use-with-exchange-2007-and-exchange-2010.aspx

Also once you find out who sent the largest number of email, check for their machine being affected with any virus/trojan
0
 
LVL 2

Assisted Solution

by:FocIS
FocIS earned 100 total points
ID: 39752442
XCONBLR has the right solution but i wanted to add this:

We went thru this a few weeks ago, and it had nothing to do with the users workstation.  She had clicked a phishing link and typed in her email address and password.  Since that day, for the next three days, a botnet was sending mail as the user, thru our server, from random countries, just by using SMTP.

So even if the users machine is clean, make sure to change their password as soon as you find out who it is.

If it's still happening, you can certainly monitor the packets by using Wireshark, looking for anything weird (emails after hours, destination email addresses you dont recognize as normal, etc).  

Sending a huge amount of emails will almost always result in lots of outbound queues for non-existing addresses.. have you had a look in the queue viewer to see what's retrying over and over?  You should be able to open each entry enough to see the sender.
0
 
LVL 1

Author Comment

by:rdege
ID: 39772246
Thank you for the assistance.  I was able to locate the user account that was causing the issues, along with the facebook app that was generating the emails.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
outlook 15 43
EXCHANGE 6 23
Exchange 2010 force all emails to send using send connector 6 32
Uninstall Exchange 2013 error 1 0
Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now