Having trouble locating the source of a spam outbreak in an Exchange 2007 environment... can iPhones be spam devices?

Posted on 2014-07-20
Last Modified: 2014-08-22

I'm the administrator of a school district with 1400+ users.  We have two Exchange 2007 servers (one as the hub/transport, the other hosting the mailboxes), and utilize an onsite Sophos Spam Filtering appliance.  All internal port 25 traffic is routed to the Exchange servers only, the Exchange servers route to the filter, and the filter is the only device that can send port 25 traffic through the firewall.  Our clients are all Windows 7 professional, running Office 2013.  We allow end users to set up mail on iOS devices using OWA.  Remote Windows clients can get to their mailboxes using either OWA or ActiveSync.

Last week one of our users (who hasn't been in the district since mid-June) email accounts began spamming out to the world.  The hub/transport server showed thousands of outbound messages in the queue emanating from her account.  Her district computer was turned off.  We disabled her account, cleared the queues, and began damage control.

I contacted her at home, and found that she accesses school email using her iPhone (OWA connection in the native mail client) and via a personal laptop using OWA through Internet Explorer.  I asked her if she'd run into any virus/malware issues recently, and she stated that her laptop was infected, but she had it in and the problem was resolved by a tech company a couple of weeks ago.  This seemed suspicious, so I asked her to have them take another look.  

The next day the tech company reported that there were no signs of malware on her laptop, nor was there anything in quarantine that might account for the spam.  We were stumped as to the cause of the outbreak, enabled her account again.  We did ask her not to enable mail on her iPhone, but to only utilize OWA on her laptop.  After three days, there has been no sign of spam from her account.

However, later on Friday I was confronted with another district user having a similar issue.  This person was actively working in the district, although scans with SCCM's AV and Sophos' workstation agent found nothing out of the ordinary.  The coincidental note here is that this user, like the first, has her email configured on her iPhone using OWA.  At this point, we've left her account disabled.

I'm stumped here... our Apple tech says that there are still no known viruses for iOS devices (at least that he's aware of).  I'm less convinced, but don't have any information to refute him.

This seems like a standard spambot, but I've not heard of malware being able to use OWA as a transport method for spam.  I always assumed that the malware had to be resident on a workstation with Outlook configured.

Does anyone have any ideas on what might be happening, or on what steps I should take next?  Since the iPhones and laptops in question aren't district devices, I'm prohibited by policy from bringing them in to take a look at them, which is really hampering my investigation.

Any help would be appreciated!

Question by:meelnah
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 19

Assisted Solution

by:Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz earned 200 total points
ID: 40208279
Some users access with rooted (on android) or jailbreaked Apple devices. Since those devices runs software unknow reputation, may causes this spams attacks.
I suggest you start a multiple way investigation:

Ask your affected users about his devices, and try block access to modified devices.
Ask about use of his accounts on public computers or using public internet access.
Start an auditing policy about this mails. Check on transport logs where this emails came from.
Force all users to change password, and set password expiry policy.
LVL 27

Accepted Solution

skullnobrains earned 300 total points
ID: 40208539
i would not be too sure that viruses do not exist on IOS but that's off topic, since many apps users can install are able to send mail, possibly as bulk, and there is no control whatsoever regarding what people upload to the appstore or download on their devices.

i would never trust a company for saying they removed an infection. from my experience, removing a virus with an anti-virus produces a high chances that another underlying infection is left behind. if the antivirus detected several different viruses, those chances near 100%. actually even a full reinstall is not always enough because of rootkits and other hardware baddies.

also note that their accounts may have been spoofed or breached


a first step might be to look at the logs or email headers, or possibly sniff the network to get the IP addresses that send those spam which should give a hint as to which device is infected
LVL 27

Expert Comment

ID: 40208542
I've not heard of malware being able to use OWA as a transport method for spam

there is a whole bunch of spambots that do this, end even some use OWA breaches. anyway this is probably irrelevant, as the bot most likely uses the device's configured mail server using internal APIs (be it outlook's or apple's)
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 40209079
Thanks to you both for  your advice.

We're looking deeper (found another compromised user), and finding that our Exchange management skills aren't what they should be.

At this point, in the Message Tracker on Exchange, I can see a user account began sending a batch of spam at 16:38 on Saturday, sent for about 2 hours, then stopped.  No spam Sunday, then started up again this morning.  This makes me think either the spambot is sending in bunches, or that the compromised device is being turned off and then back on.

Can either of you tell me if there's a way to determine from which IP address the messages are coming from?  I'm trying to determine if the origin is inside the network, or if it's a device outside the network.


Author Comment

ID: 40209435
I was able to find some information using the Get-MessageTrackingLog commandlet on our mailbox and hub servers.

It appears that all spam is being routed through our systems using OWA (the ClientType attribute in the 'SourceContext' portion of the return is OWA).

However, I cannot tell if the source machine is inside or outside our network.  

Do either of you have any ideas here?

I'm currently trying to find out if I can trace the traffic through our firewall (a Cisco ASA 5555), but haven't found an easy way to do so just yet.


Author Comment

ID: 40210161
more info!

We were able to identify the originating IP addresses for the SPAM (as it was being sent to our mail server for transport).  Some were local, but a couple of others were coming from Nigeria, proving that a user's account credentials were compromised.  

We've since reset all account passwords, and the SPAM has stopped, at least for now.

My next (hopefully final) question would be 'How can I prevent this in the future?'  The users are compromising their home systems, and then using OWA to connect to their district mail accounts.  Do either of you have any ideas on how I could protect the systems from this (other than remove remote access to mail?)
LVL 27

Expert Comment

ID: 40213826
quite sorry, but simple answer is you can't.

one way to allow external access and effectively limit such problems is to make the users use a VPN or equivalent tunnel when they connect to OWA. at least OWA would not be open to the WAN, so impossible to brute force remotely, and even grabbing a user's password through other means would not produce a working automated attack such as the one you experienced

another way can be to require the users logon to a separate interface before they can use OWA : you would allow OWA access to any IP that logs on the page by adding a rule in a firewall or reverse proxy for example

policies such as frequent password changes and automated detection off brute force attacks will likely proove inefficient.

setting up antispam software with alerts for outgoing detected spam can be very useful

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question