Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 281
  • Last Modified:

Searching Exchange Logs for SPAM

Over the holiday break, our email server was flagged on 3 RBL sites.  I am in the process of having them removed, but need to figure out what caused the issue.  I know that the email server does not support relaying, so I'm thinking one of the workstations might have a virus/malware/torjan.

I want to figure out where the SPAM originated from (workstation, user mailbox, etc.), but I have no time stamp, no recipient list, and no Mail From.  I checked the file size of the log files, but they only vary by a few 100KB.

Does anyone have any suggestions?  We are running Exchange 2010, and right now, I'm focusing on the SMTPSend ProtocolLogs.  Oh, this is running on Windows SBS 2011 if that matters.
0
rdege
Asked:
rdege
2 Solutions
 
XCONBLRCommented:
Run Process Tracking Log analyser on the Exchange server against the message tracking logs.
It might tell you who sent the largest number of emails and other information which will help you get to the root cause.

http://blogs.technet.com/b/exchange/archive/2011/10/21/updated-process-tracking-log-ptl-tool-for-use-with-exchange-2007-and-exchange-2010.aspx

Also once you find out who sent the largest number of email, check for their machine being affected with any virus/trojan
0
 
FocISCommented:
XCONBLR has the right solution but i wanted to add this:

We went thru this a few weeks ago, and it had nothing to do with the users workstation.  She had clicked a phishing link and typed in her email address and password.  Since that day, for the next three days, a botnet was sending mail as the user, thru our server, from random countries, just by using SMTP.

So even if the users machine is clean, make sure to change their password as soon as you find out who it is.

If it's still happening, you can certainly monitor the packets by using Wireshark, looking for anything weird (emails after hours, destination email addresses you dont recognize as normal, etc).  

Sending a huge amount of emails will almost always result in lots of outbound queues for non-existing addresses.. have you had a look in the queue viewer to see what's retrying over and over?  You should be able to open each entry enough to see the sender.
0
 
rdegeAuthor Commented:
Thank you for the assistance.  I was able to locate the user account that was causing the issues, along with the facebook app that was generating the emails.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now