How can we tell which user account sent an email in Exchange 2010?

We have Exchange 2010 as part of Small Business Server 2011.  Every night there is a period of around 12 hours where spam is being relayed through the server, but it is not configured as an open relay so the sender must be authenticating using an AD account.  The Message Tracking function of Exchange shows details of the messages (to, from, subject, sender IP, etc.) but not which user account authenticated to send it.

How can we determine which user account is affected, so we can disable it and/or change the password?
LVL 2
David HaycoxConsultant EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zvitamConsultantCommented:
Check Transport permission from the anonymous logon account that all unauthenticated sessions will use during the session with Exchange.

You can use the following Powershell command to remove this permission:

Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Hope that helps,
Zvitam.
0
timgreen7077Exchange EngineerCommented:
Is the spam being sent internally or is it leaving the exchange server outbound. If its being sent internally, and you have one of the emails, i would suggest looking at the email header and see the Originating IP, that can tell you what computer in your network it came from. Also you can Exchange message tracking logs an search by subject and see what sending address sent the email.
0
David HaycoxConsultant EngineerAuthor Commented:
Yes, we know what the sending address is, and the originating IP.  It's outside the network though, so we think the spammer is authenticating using an AD account - and so we want to find out which account it is so we can disable it or change the password.

In any case we are going to reset all passwords, and also lock down incoming SMTP traffic on the firewall so it is only permitted from the email host's IP addresses.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

timgreen7077Exchange EngineerCommented:
you don't have to authenticate with AD to send spam. What kind of spam filtering are you using at the perimeter? if you don't have some type of spam filtering and malware at the perimeter you will get all kind of junk.
0
David HaycoxConsultant EngineerAuthor Commented:
Sorry, I wasn't clear.  The incoming spam is not destined for internal users; the spammer is using the server as a relay (email is coming from outside the organisation and is being sent to destinations outside the organisation).
0
timgreen7077Exchange EngineerCommented:
Oh ok, by default Exchange is not an open relay. The default receive connectors created by exchange are secure. If you created a custom relay connector for things like applications or printers to relay then that needs to be setup correctly making sure that only select IPs can relay via that connector.
I would suggest creating a GPO to block port 25 from all desktops. This happened once to us and that is what I did, because desktops using outlook dont send via port 25, so if this is coming from a desktop port 25 will be blocked.
0
timgreen7077Exchange EngineerCommented:
Here is how I setup the GPO in my lab to block port 25 and i used this same process in our production environment. I'm almost sure you dont have an open relay in Exchange. See attachment for GPO setup.
How-to-Create-a-Block-TCP-25-IPSec-.docx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David HaycoxConsultant EngineerAuthor Commented:
That's great, thanks!
0
timgreen7077Exchange EngineerCommented:
sure thing. Good luck and that should fix your issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.