Originating Access to OWA and then SPAM

We had an Account password guessed/found out. That email was then setup to send out 1000's of emails with a link to click in them. SPAM

Is it possible in Exchange to get the originating address that accessed the OWA Account?
Peter AndersenSenior System AnalystAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SeanSystem EngineerCommented:
All information about an email is in the message header.
Daryl GawnSystem AdministratorCommented:
what version of exchange if 2010  check the OWA log C:\inetpub\logs\LogFiles\W3SVC1 on your client access server, if you have a more than one client access check all of them .

Any decent attack would have hidden their origin though or could have been via a VPN etc

as Sean mentioned above all the info of the email should be in the header but if they logged in via OWA it will just say it was sent from your organisation

your network team might have other logs like firewall logs that could assist too

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff GloverSr. Systems AdministratorCommented:
The OWA logs are the place to start but if your Exchange server is behind a NAT firewall, it will only tell you if it is outside or in. Best bet from there is if your firewall has logging or a syslog server. However, as a veteran of many Forensic investigations, be prepared for a lot of digging.
Peter AndersenSenior System AnalystAuthor Commented:
I think we will just chalk this one up as Experience and not try to find the Source. We have:
    -blocked the Firewall Ports as best we can
      -Deleted all the messages
      -Made new User Accounts for those broken into.
      -Got everyone to improve their Passwords.

      In a matter of about 7 hours we figure one Account sent out over a 100,000 emails.

      I am gonna ask on here: What is the best practice for setting up a rule to limit users to a set number of emails/hour.
      Peter AndersenSenior System AnalystAuthor Commented:
      See my last comment.
      It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

      From novice to tech pro — start learning today.