?
Solved

View the computer name that sent an email in exchange 2007

Posted on 2015-02-19
6
Medium Priority
?
73 Views
Last Modified: 2015-04-09
We have a shared mailbox that sent out a lot of spam and need to determine which computer actually sent out the spam.  Not sure if there is way to setup a specific diagnostic logging to have it show the computer.  

I looked through the messagetracking logs , but it just shows that it was sent from the shared mailbox account.   We have 4 or 5 users that have access to that account and are in the process of scanning those computers individually for viruses, etc..   But want to know if we could track down the culprit from the exchange server logs or possibly another way.

thanks.
0
Comment
Question by:tiptechs
  • 3
  • 2
6 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619325
In order to get this kind of logging you need to configure Diagnostic Logging on the server.
https://technet.microsoft.com/en-us/library/bb201668%28v=exchg.80%29.aspx

Is your mailbox sending externally? what you can do is block port 25 and then check your firewall to see who is continually sending email and from what machine.

I do not believe Diagnostic logging shows computer names/ip's where the email was sent from. Even if it does it will only show logging for email that is being sent after it is enabled. You perimeter firewall would be a better option.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40619327
That information isn't logged by Exchange.
Even if it was available, you wouldn't be able to find the information if you don't have it already as you cannot retrospectively log things.

The most you can log is authentication attempts at the domain level, but that will not tell you which machine sent the email, as the access is logged, not the action.

Do you see the spam in the Sent Items folder of the mailbox? It is VERY unusual for an Exchange mailbox to directly send spam. Much easier for the compromised machine to send spam directly using SMTP.

Simon.
0
 

Author Comment

by:tiptechs
ID: 40619376
the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook.    

I understand that we wouldn't be able to go back and look after changing the logging, but for the future I wasn't sure if there was an option.

Thanks.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40621740
"the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook. "

That is unusual behaviour. Malware rarely does that, because it leaves a huge trail which it doesn't want to do. In fact I don't think I have seen malware send email through Exchange/Outlook for a number of years.

If you can find no trace of the messages in sent items then it was NOT sent through Exchange.

Simon.
0
 

Author Comment

by:tiptechs
ID: 40621810
Thanks Simon.  I believe you are right.  We found the issue coming in from the outside on the spam filter (which was making it through) using the shared address.

Can you think of a good way to prevent this on exchange or is this something the spam filter should have caught?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40622782
If you mean the From line was an address in your own domain, then the spam filter should have caught that and at least flagged it. However a lot of sites will whitelist their own domain, which is why spammers use them as the from field.

The other option for blocking it, again by using your filtering service, is to configure SPF records for your own domain and then have the filtering service reject email from everywhere else.

The key thing here is to have the messages blocked at the filtering service, as blocking it on Exchange is too late - a waste of bandwidth.

Simon.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
In my humble opinion (IMHO), TouchDown from Symantec is the best in class for this type of application, but Symantec has end-of-lifed it and although one can keep using it, it will no longer be supported or upgraded.  Time to look for alternatives t…
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question