Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Searching Exchange Logs for SPAM

Posted on 2014-01-02
3
Medium Priority
?
275 Views
Last Modified: 2014-01-10
Over the holiday break, our email server was flagged on 3 RBL sites.  I am in the process of having them removed, but need to figure out what caused the issue.  I know that the email server does not support relaying, so I'm thinking one of the workstations might have a virus/malware/torjan.

I want to figure out where the SPAM originated from (workstation, user mailbox, etc.), but I have no time stamp, no recipient list, and no Mail From.  I checked the file size of the log files, but they only vary by a few 100KB.

Does anyone have any suggestions?  We are running Exchange 2010, and right now, I'm focusing on the SMTPSend ProtocolLogs.  Oh, this is running on Windows SBS 2011 if that matters.
0
Comment
Question by:rdege
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
XCONBLR earned 1600 total points
ID: 39752427
Run Process Tracking Log analyser on the Exchange server against the message tracking logs.
It might tell you who sent the largest number of emails and other information which will help you get to the root cause.

http://blogs.technet.com/b/exchange/archive/2011/10/21/updated-process-tracking-log-ptl-tool-for-use-with-exchange-2007-and-exchange-2010.aspx

Also once you find out who sent the largest number of email, check for their machine being affected with any virus/trojan
0
 
LVL 2

Assisted Solution

by:FocIS
FocIS earned 400 total points
ID: 39752442
XCONBLR has the right solution but i wanted to add this:

We went thru this a few weeks ago, and it had nothing to do with the users workstation.  She had clicked a phishing link and typed in her email address and password.  Since that day, for the next three days, a botnet was sending mail as the user, thru our server, from random countries, just by using SMTP.

So even if the users machine is clean, make sure to change their password as soon as you find out who it is.

If it's still happening, you can certainly monitor the packets by using Wireshark, looking for anything weird (emails after hours, destination email addresses you dont recognize as normal, etc).  

Sending a huge amount of emails will almost always result in lots of outbound queues for non-existing addresses.. have you had a look in the queue viewer to see what's retrying over and over?  You should be able to open each entry enough to see the sender.
0
 
LVL 1

Author Comment

by:rdege
ID: 39772246
Thank you for the assistance.  I was able to locate the user account that was causing the issues, along with the facebook app that was generating the emails.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question