Solved

How to find what IP a user is accessing Exchange from remotly?

Posted on 2014-11-05
7
43 Views
Last Modified: 2015-01-26
I have a user that has left the company, but due to an employee contract he has e-mail access until the end of the year. The problem is that whatever computer he is using is probably infected with some kind of botnet.

Every night his e-mail sends out about 30 e-mails in German with trojan attachments. GFI has blocked all of these e-mails, but since I have no access to the computer he may be using at his new job, I cannot ensure those computers are clean. I need to find out what IP this is coming from. Is there a way to do this? If I find out it is the IP of his new company, I can shut down access until that computer has been cleaned.
0
Comment
Question by:j_crow1
  • 4
  • 3
7 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40424476
You should be able to find the source of the email in the message tracking logs:

Get-TransportServer | Get-MessageTrackingLog -MessageSubject "enter Trojan message subject here" | Select Timestamp, {$_.Recipients}, Sender, SenderIP, ClientHostname | Export-CSV C:\Log.csv

Open in new window


From there make the table in Excel, and then search for the client IP that is not an Exchange server.
0
 

Author Comment

by:j_crow1
ID: 40424523
It is not displaying an IP address, but it does display a client host name...how accurate is this?
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40424583
The ClientHostname should be accurate, but I am surprised you are not getting a client address. Most likely coming from someones mailbox or an open relay.

Do you see the sender address and can you log into that mailbox?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:j_crow1
ID: 40424635
Yes, but those items are not in his sent folder. I do not have an open relay...where else should I check for where this could be coming from?
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40424754
Its most likely his mailbox, but using a raw MAPI connection on his machine.

Try disabling MAPI connectivity to the mailbox and see if that works for you (Set-CASMailbox username@company.com -MapiEnabled:$FALSE)

It will disable his outlook access (along with any other MAPI access) but it should help figure out if it his client machine or not.
0
 

Author Comment

by:j_crow1
ID: 40424870
I will try that tonight and see if those e-mails get sent out.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40426302
Any luck?
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Find out what you should include to make the best professional email signature for your organization.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now