How can we tell which user account sent an email in Exchange 2010?

We have Exchange 2010 as part of Small Business Server 2011.  Every night there is a period of around 12 hours where spam is being relayed through the server, but it is not configured as an open relay so the sender must be authenticating using an AD account.  The Message Tracking function of Exchange shows details of the messages (to, from, subject, sender IP, etc.) but not which user account authenticated to send it.

How can we determine which user account is affected, so we can disable it and/or change the password?
LVL 2
David HaycoxAsked:
Who is Participating?
 
timgreen7077Exchange EngineerCommented:
Here is how I setup the GPO in my lab to block port 25 and i used this same process in our production environment. I'm almost sure you dont have an open relay in Exchange. See attachment for GPO setup.
How-to-Create-a-Block-TCP-25-IPSec-.docx
0
 
zvitamConsultantCommented:
Check Transport permission from the anonymous logon account that all unauthenticated sessions will use during the session with Exchange.

You can use the following Powershell command to remove this permission:

Get-ReceiveConnector “My Internet ReceiveConnector” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission

Hope that helps,
Zvitam.
0
 
timgreen7077Exchange EngineerCommented:
Is the spam being sent internally or is it leaving the exchange server outbound. If its being sent internally, and you have one of the emails, i would suggest looking at the email header and see the Originating IP, that can tell you what computer in your network it came from. Also you can Exchange message tracking logs an search by subject and see what sending address sent the email.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
David HaycoxAuthor Commented:
Yes, we know what the sending address is, and the originating IP.  It's outside the network though, so we think the spammer is authenticating using an AD account - and so we want to find out which account it is so we can disable it or change the password.

In any case we are going to reset all passwords, and also lock down incoming SMTP traffic on the firewall so it is only permitted from the email host's IP addresses.
0
 
timgreen7077Exchange EngineerCommented:
you don't have to authenticate with AD to send spam. What kind of spam filtering are you using at the perimeter? if you don't have some type of spam filtering and malware at the perimeter you will get all kind of junk.
0
 
David HaycoxAuthor Commented:
Sorry, I wasn't clear.  The incoming spam is not destined for internal users; the spammer is using the server as a relay (email is coming from outside the organisation and is being sent to destinations outside the organisation).
0
 
timgreen7077Exchange EngineerCommented:
Oh ok, by default Exchange is not an open relay. The default receive connectors created by exchange are secure. If you created a custom relay connector for things like applications or printers to relay then that needs to be setup correctly making sure that only select IPs can relay via that connector.
I would suggest creating a GPO to block port 25 from all desktops. This happened once to us and that is what I did, because desktops using outlook dont send via port 25, so if this is coming from a desktop port 25 will be blocked.
0
 
David HaycoxAuthor Commented:
That's great, thanks!
0
 
timgreen7077Exchange EngineerCommented:
sure thing. Good luck and that should fix your issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.