Solved

View the computer name that sent an email in exchange 2007

Posted on 2015-02-19
6
54 Views
Last Modified: 2015-04-09
We have a shared mailbox that sent out a lot of spam and need to determine which computer actually sent out the spam.  Not sure if there is way to setup a specific diagnostic logging to have it show the computer.  

I looked through the messagetracking logs , but it just shows that it was sent from the shared mailbox account.   We have 4 or 5 users that have access to that account and are in the process of scanning those computers individually for viruses, etc..   But want to know if we could track down the culprit from the exchange server logs or possibly another way.

thanks.
0
Comment
Question by:tiptechs
  • 3
  • 2
6 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
In order to get this kind of logging you need to configure Diagnostic Logging on the server.
https://technet.microsoft.com/en-us/library/bb201668%28v=exchg.80%29.aspx

Is your mailbox sending externally? what you can do is block port 25 and then check your firewall to see who is continually sending email and from what machine.

I do not believe Diagnostic logging shows computer names/ip's where the email was sent from. Even if it does it will only show logging for email that is being sent after it is enabled. You perimeter firewall would be a better option.

Will.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That information isn't logged by Exchange.
Even if it was available, you wouldn't be able to find the information if you don't have it already as you cannot retrospectively log things.

The most you can log is authentication attempts at the domain level, but that will not tell you which machine sent the email, as the access is logged, not the action.

Do you see the spam in the Sent Items folder of the mailbox? It is VERY unusual for an Exchange mailbox to directly send spam. Much easier for the compromised machine to send spam directly using SMTP.

Simon.
0
 

Author Comment

by:tiptechs
Comment Utility
the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook.    

I understand that we wouldn't be able to go back and look after changing the logging, but for the future I wasn't sure if there was an option.

Thanks.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
"the spam would have been generated on a client pc via a virus and sending through the shared mail account within outlook. "

That is unusual behaviour. Malware rarely does that, because it leaves a huge trail which it doesn't want to do. In fact I don't think I have seen malware send email through Exchange/Outlook for a number of years.

If you can find no trace of the messages in sent items then it was NOT sent through Exchange.

Simon.
0
 

Author Comment

by:tiptechs
Comment Utility
Thanks Simon.  I believe you are right.  We found the issue coming in from the outside on the spam filter (which was making it through) using the shared address.

Can you think of a good way to prevent this on exchange or is this something the spam filter should have caught?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
If you mean the From line was an address in your own domain, then the spam filter should have caught that and at least flagged it. However a lot of sites will whitelist their own domain, which is why spammers use them as the from field.

The other option for blocking it, again by using your filtering service, is to configure SPF records for your own domain and then have the filtering service reject email from everywhere else.

The key thing here is to have the messages blocked at the filtering service, as blocking it on Exchange is too late - a waste of bandwidth.

Simon.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
how to add IIS SMTP to handle application/Scanner relays into office 365.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now