Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 73
  • Last Modified:

View the computer name that sent an email in exchange 2007

We have a shared mailbox that sent out a lot of spam and need to determine which computer actually sent out the spam.  Not sure if there is way to setup a specific diagnostic logging to have it show the computer.  

I looked through the messagetracking logs , but it just shows that it was sent from the shared mailbox account.   We have 4 or 5 users that have access to that account and are in the process of scanning those computers individually for viruses, etc..   But want to know if we could track down the culprit from the exchange server logs or possibly another way.

thanks.
0
tiptechs
Asked:
tiptechs
  • 3
  • 2
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
In order to get this kind of logging you need to configure Diagnostic Logging on the server.
https://technet.microsoft.com/en-us/library/bb201668%28v=exchg.80%29.aspx

Is your mailbox sending externally? what you can do is block port 25 and then check your firewall to see who is continually sending email and from what machine.

I do not believe Diagnostic logging shows computer names/ip's where the email was sent from. Even if it does it will only show logging for email that is being sent after it is enabled. You perimeter firewall would be a better option.

Will.
0
 
Simon Butler (Sembee)ConsultantCommented:
That information isn't logged by Exchange.
Even if it was available, you wouldn't be able to find the information if you don't have it already as you cannot retrospectively log things.

The most you can log is authentication attempts at the domain level, but that will not tell you which machine sent the email, as the access is logged, not the action.

Do you see the spam in the Sent Items folder of the mailbox? It is VERY unusual for an Exchange mailbox to directly send spam. Much easier for the compromised machine to send spam directly using SMTP.

Simon.
0
 
tiptechsAuthor Commented:
the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook.    

I understand that we wouldn't be able to go back and look after changing the logging, but for the future I wasn't sure if there was an option.

Thanks.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Simon Butler (Sembee)ConsultantCommented:
"the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook. "

That is unusual behaviour. Malware rarely does that, because it leaves a huge trail which it doesn't want to do. In fact I don't think I have seen malware send email through Exchange/Outlook for a number of years.

If you can find no trace of the messages in sent items then it was NOT sent through Exchange.

Simon.
0
 
tiptechsAuthor Commented:
Thanks Simon.  I believe you are right.  We found the issue coming in from the outside on the spam filter (which was making it through) using the shared address.

Can you think of a good way to prevent this on exchange or is this something the spam filter should have caught?
0
 
Simon Butler (Sembee)ConsultantCommented:
If you mean the From line was an address in your own domain, then the spam filter should have caught that and at least flagged it. However a lot of sites will whitelist their own domain, which is why spammers use them as the from field.

The other option for blocking it, again by using your filtering service, is to configure SPF records for your own domain and then have the filtering service reject email from everywhere else.

The key thing here is to have the messages blocked at the filtering service, as blocking it on Exchange is too late - a waste of bandwidth.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now