Having trouble locating the source of a spam outbreak in an Exchange 2007 environment... can iPhones be spam devices?


I'm the administrator of a school district with 1400+ users.  We have two Exchange 2007 servers (one as the hub/transport, the other hosting the mailboxes), and utilize an onsite Sophos Spam Filtering appliance.  All internal port 25 traffic is routed to the Exchange servers only, the Exchange servers route to the filter, and the filter is the only device that can send port 25 traffic through the firewall.  Our clients are all Windows 7 professional, running Office 2013.  We allow end users to set up mail on iOS devices using OWA.  Remote Windows clients can get to their mailboxes using either OWA or ActiveSync.

Last week one of our users (who hasn't been in the district since mid-June) email accounts began spamming out to the world.  The hub/transport server showed thousands of outbound messages in the queue emanating from her account.  Her district computer was turned off.  We disabled her account, cleared the queues, and began damage control.

I contacted her at home, and found that she accesses school email using her iPhone (OWA connection in the native mail client) and via a personal laptop using OWA through Internet Explorer.  I asked her if she'd run into any virus/malware issues recently, and she stated that her laptop was infected, but she had it in and the problem was resolved by a tech company a couple of weeks ago.  This seemed suspicious, so I asked her to have them take another look.  

The next day the tech company reported that there were no signs of malware on her laptop, nor was there anything in quarantine that might account for the spam.  We were stumped as to the cause of the outbreak, enabled her account again.  We did ask her not to enable mail on her iPhone, but to only utilize OWA on her laptop.  After three days, there has been no sign of spam from her account.

However, later on Friday I was confronted with another district user having a similar issue.  This person was actively working in the district, although scans with SCCM's AV and Sophos' workstation agent found nothing out of the ordinary.  The coincidental note here is that this user, like the first, has her email configured on her iPhone using OWA.  At this point, we've left her account disabled.

I'm stumped here... our Apple tech says that there are still no known viruses for iOS devices (at least that he's aware of).  I'm less convinced, but don't have any information to refute him.

This seems like a standard spambot, but I've not heard of malware being able to use OWA as a transport method for spam.  I always assumed that the malware had to be resident on a workstation with Outlook configured.

Does anyone have any ideas on what might be happening, or on what steps I should take next?  Since the iPhones and laptops in question aren't district devices, I'm prohibited by policy from bringing them in to take a look at them, which is really hampering my investigation.

Any help would be appreciated!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Miguel Angel Perez MuñozCommented:
Some users access with rooted (on android) or jailbreaked Apple devices. Since those devices runs software unknow reputation, may causes this spams attacks.
I suggest you start a multiple way investigation:

Ask your affected users about his devices, and try block access to modified devices.
Ask about use of his accounts on public computers or using public internet access.
Start an auditing policy about this mails. Check on transport logs where this emails came from.
Force all users to change password, and set password expiry policy.
i would not be too sure that viruses do not exist on IOS but that's off topic, since many apps users can install are able to send mail, possibly as bulk, and there is no control whatsoever regarding what people upload to the appstore or download on their devices.

i would never trust a company for saying they removed an infection. from my experience, removing a virus with an anti-virus produces a high chances that another underlying infection is left behind. if the antivirus detected several different viruses, those chances near 100%. actually even a full reinstall is not always enough because of rootkits and other hardware baddies.

also note that their accounts may have been spoofed or breached


a first step might be to look at the logs or email headers, or possibly sniff the network to get the IP addresses that send those spam which should give a hint as to which device is infected

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I've not heard of malware being able to use OWA as a transport method for spam

there is a whole bunch of spambots that do this, end even some use OWA breaches. anyway this is probably irrelevant, as the bot most likely uses the device's configured mail server using internal APIs (be it outlook's or apple's)
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

meelnahAuthor Commented:
Thanks to you both for  your advice.

We're looking deeper (found another compromised user), and finding that our Exchange management skills aren't what they should be.

At this point, in the Message Tracker on Exchange, I can see a user account began sending a batch of spam at 16:38 on Saturday, sent for about 2 hours, then stopped.  No spam Sunday, then started up again this morning.  This makes me think either the spambot is sending in bunches, or that the compromised device is being turned off and then back on.

Can either of you tell me if there's a way to determine from which IP address the messages are coming from?  I'm trying to determine if the origin is inside the network, or if it's a device outside the network.

meelnahAuthor Commented:
I was able to find some information using the Get-MessageTrackingLog commandlet on our mailbox and hub servers.

It appears that all spam is being routed through our systems using OWA (the ClientType attribute in the 'SourceContext' portion of the return is OWA).

However, I cannot tell if the source machine is inside or outside our network.  

Do either of you have any ideas here?

I'm currently trying to find out if I can trace the traffic through our firewall (a Cisco ASA 5555), but haven't found an easy way to do so just yet.

meelnahAuthor Commented:
more info!

We were able to identify the originating IP addresses for the SPAM (as it was being sent to our mail server for transport).  Some were local, but a couple of others were coming from Nigeria, proving that a user's account credentials were compromised.  

We've since reset all account passwords, and the SPAM has stopped, at least for now.

My next (hopefully final) question would be 'How can I prevent this in the future?'  The users are compromising their home systems, and then using OWA to connect to their district mail accounts.  Do either of you have any ideas on how I could protect the systems from this (other than remove remote access to mail?)
quite sorry, but simple answer is you can't.

one way to allow external access and effectively limit such problems is to make the users use a VPN or equivalent tunnel when they connect to OWA. at least OWA would not be open to the WAN, so impossible to brute force remotely, and even grabbing a user's password through other means would not produce a working automated attack such as the one you experienced

another way can be to require the users logon to a separate interface before they can use OWA : you would allow OWA access to any IP that logs on the page by adding a rule in a firewall or reverse proxy for example

policies such as frequent password changes and automated detection off brute force attacks will likely proove inefficient.

setting up antispam software with alerts for outgoing detected spam can be very useful
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.