Searching Exchange Logs for SPAM

Over the holiday break, our email server was flagged on 3 RBL sites.  I am in the process of having them removed, but need to figure out what caused the issue.  I know that the email server does not support relaying, so I'm thinking one of the workstations might have a virus/malware/torjan.

I want to figure out where the SPAM originated from (workstation, user mailbox, etc.), but I have no time stamp, no recipient list, and no Mail From.  I checked the file size of the log files, but they only vary by a few 100KB.

Does anyone have any suggestions?  We are running Exchange 2010, and right now, I'm focusing on the SMTPSend ProtocolLogs.  Oh, this is running on Windows SBS 2011 if that matters.
LVL 1
RobertSystems AdministratorAsked:
Who is Participating?
 
XCONBLRConnect With a Mentor Commented:
Run Process Tracking Log analyser on the Exchange server against the message tracking logs.
It might tell you who sent the largest number of emails and other information which will help you get to the root cause.

http://blogs.technet.com/b/exchange/archive/2011/10/21/updated-process-tracking-log-ptl-tool-for-use-with-exchange-2007-and-exchange-2010.aspx

Also once you find out who sent the largest number of email, check for their machine being affected with any virus/trojan
0
 
FocISConnect With a Mentor Commented:
XCONBLR has the right solution but i wanted to add this:

We went thru this a few weeks ago, and it had nothing to do with the users workstation.  She had clicked a phishing link and typed in her email address and password.  Since that day, for the next three days, a botnet was sending mail as the user, thru our server, from random countries, just by using SMTP.

So even if the users machine is clean, make sure to change their password as soon as you find out who it is.

If it's still happening, you can certainly monitor the packets by using Wireshark, looking for anything weird (emails after hours, destination email addresses you dont recognize as normal, etc).  

Sending a huge amount of emails will almost always result in lots of outbound queues for non-existing addresses.. have you had a look in the queue viewer to see what's retrying over and over?  You should be able to open each entry enough to see the sender.
0
 
RobertSystems AdministratorAuthor Commented:
Thank you for the assistance.  I was able to locate the user account that was causing the issues, along with the facebook app that was generating the emails.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.