Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

View the computer name that sent an email in exchange 2007

Posted on 2015-02-19
6
Medium Priority
?
67 Views
Last Modified: 2015-04-09
We have a shared mailbox that sent out a lot of spam and need to determine which computer actually sent out the spam.  Not sure if there is way to setup a specific diagnostic logging to have it show the computer.  

I looked through the messagetracking logs , but it just shows that it was sent from the shared mailbox account.   We have 4 or 5 users that have access to that account and are in the process of scanning those computers individually for viruses, etc..   But want to know if we could track down the culprit from the exchange server logs or possibly another way.

thanks.
0
Comment
Question by:tiptechs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619325
In order to get this kind of logging you need to configure Diagnostic Logging on the server.
https://technet.microsoft.com/en-us/library/bb201668%28v=exchg.80%29.aspx

Is your mailbox sending externally? what you can do is block port 25 and then check your firewall to see who is continually sending email and from what machine.

I do not believe Diagnostic logging shows computer names/ip's where the email was sent from. Even if it does it will only show logging for email that is being sent after it is enabled. You perimeter firewall would be a better option.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40619327
That information isn't logged by Exchange.
Even if it was available, you wouldn't be able to find the information if you don't have it already as you cannot retrospectively log things.

The most you can log is authentication attempts at the domain level, but that will not tell you which machine sent the email, as the access is logged, not the action.

Do you see the spam in the Sent Items folder of the mailbox? It is VERY unusual for an Exchange mailbox to directly send spam. Much easier for the compromised machine to send spam directly using SMTP.

Simon.
0
 

Author Comment

by:tiptechs
ID: 40619376
the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook.    

I understand that we wouldn't be able to go back and look after changing the logging, but for the future I wasn't sure if there was an option.

Thanks.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40621740
"the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook. "

That is unusual behaviour. Malware rarely does that, because it leaves a huge trail which it doesn't want to do. In fact I don't think I have seen malware send email through Exchange/Outlook for a number of years.

If you can find no trace of the messages in sent items then it was NOT sent through Exchange.

Simon.
0
 

Author Comment

by:tiptechs
ID: 40621810
Thanks Simon.  I believe you are right.  We found the issue coming in from the outside on the spam filter (which was making it through) using the shared address.

Can you think of a good way to prevent this on exchange or is this something the spam filter should have caught?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40622782
If you mean the From line was an address in your own domain, then the spam filter should have caught that and at least flagged it. However a lot of sites will whitelist their own domain, which is why spammers use them as the from field.

The other option for blocking it, again by using your filtering service, is to configure SPF records for your own domain and then have the filtering service reject email from everywhere else.

The key thing here is to have the messages blocked at the filtering service, as blocking it on Exchange is too late - a waste of bandwidth.

Simon.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question