Originating Access to OWA and then SPAM

We had an Account password guessed/found out. That email was then setup to send out 1000's of emails with a link to click in them. SPAM

Is it possible in Exchange to get the originating address that accessed the OWA Account?
Peter AndersenSenior System AnalystAsked:
Who is Participating?
Daryl GawnSystem AdministratorCommented:
what version of exchange if 2010  check the OWA log C:\inetpub\logs\LogFiles\W3SVC1 on your client access server, if you have a more than one client access check all of them .

Any decent attack would have hidden their origin though or could have been via a VPN etc

as Sean mentioned above all the info of the email should be in the header but if they logged in via OWA it will just say it was sent from your organisation

your network team might have other logs like firewall logs that could assist too
SeanSystem EngineerCommented:
All information about an email is in the message header.
Jeff GloverSr. Systems AdministratorCommented:
The OWA logs are the place to start but if your Exchange server is behind a NAT firewall, it will only tell you if it is outside or in. Best bet from there is if your firewall has logging or a syslog server. However, as a veteran of many Forensic investigations, be prepared for a lot of digging.
Peter AndersenSenior System AnalystAuthor Commented:
I think we will just chalk this one up as Experience and not try to find the Source. We have:
    -blocked the Firewall Ports as best we can
      -Deleted all the messages
      -Made new User Accounts for those broken into.
      -Got everyone to improve their Passwords.

      In a matter of about 7 hours we figure one Account sent out over a 100,000 emails.

      I am gonna ask on here: What is the best practice for setting up a rule to limit users to a set number of emails/hour.
      Peter AndersenSenior System AnalystAuthor Commented:
      See my last comment.
      Question has a verified solution.

      Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

      Have a better answer? Share it in a comment.

      All Courses

      From novice to tech pro — start learning today.