Solved

View the computer name that sent an email in exchange 2007

Posted on 2015-02-19
6
62 Views
Last Modified: 2015-04-09
We have a shared mailbox that sent out a lot of spam and need to determine which computer actually sent out the spam.  Not sure if there is way to setup a specific diagnostic logging to have it show the computer.  

I looked through the messagetracking logs , but it just shows that it was sent from the shared mailbox account.   We have 4 or 5 users that have access to that account and are in the process of scanning those computers individually for viruses, etc..   But want to know if we could track down the culprit from the exchange server logs or possibly another way.

thanks.
0
Comment
Question by:tiptechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619325
In order to get this kind of logging you need to configure Diagnostic Logging on the server.
https://technet.microsoft.com/en-us/library/bb201668%28v=exchg.80%29.aspx

Is your mailbox sending externally? what you can do is block port 25 and then check your firewall to see who is continually sending email and from what machine.

I do not believe Diagnostic logging shows computer names/ip's where the email was sent from. Even if it does it will only show logging for email that is being sent after it is enabled. You perimeter firewall would be a better option.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40619327
That information isn't logged by Exchange.
Even if it was available, you wouldn't be able to find the information if you don't have it already as you cannot retrospectively log things.

The most you can log is authentication attempts at the domain level, but that will not tell you which machine sent the email, as the access is logged, not the action.

Do you see the spam in the Sent Items folder of the mailbox? It is VERY unusual for an Exchange mailbox to directly send spam. Much easier for the compromised machine to send spam directly using SMTP.

Simon.
0
 

Author Comment

by:tiptechs
ID: 40619376
the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook.    

I understand that we wouldn't be able to go back and look after changing the logging, but for the future I wasn't sure if there was an option.

Thanks.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40621740
"the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook. "

That is unusual behaviour. Malware rarely does that, because it leaves a huge trail which it doesn't want to do. In fact I don't think I have seen malware send email through Exchange/Outlook for a number of years.

If you can find no trace of the messages in sent items then it was NOT sent through Exchange.

Simon.
0
 

Author Comment

by:tiptechs
ID: 40621810
Thanks Simon.  I believe you are right.  We found the issue coming in from the outside on the spam filter (which was making it through) using the shared address.

Can you think of a good way to prevent this on exchange or is this something the spam filter should have caught?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40622782
If you mean the From line was an address in your own domain, then the spam filter should have caught that and at least flagged it. However a lot of sites will whitelist their own domain, which is why spammers use them as the from field.

The other option for blocking it, again by using your filtering service, is to configure SPF records for your own domain and then have the filtering service reject email from everywhere else.

The key thing here is to have the messages blocked at the filtering service, as blocking it on Exchange is too late - a waste of bandwidth.

Simon.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question