20 martie 2012 14:23
We just switched to FOPE (previously used M+ from Messaging Architects) and are
using Exchange 2010 SPK1 with the latest rollup. I have two Edge Transport
servers with FPE installed and I have FPE installed on my Hub Transport servers
(without the SPAM feature enabled). Currently, I am not sending email back
outbound through FOPE. I am still testing that part.
I was surprised to find out that Microsoft does not have
the ability to determine which user account is compromised and can only tell
you the IP of the server (which is always one of the Edge Servers). Today I am researching
how or what is the best way to track down an offending account that has been compromised
say via phishing incident.
How do most of you track down a comprised account in your
3 aprilie 2012 15:25
Well, I guess I will delete this post since no one has any answers. Interesting...
3 aprilie 2012 17:54
How do most of you track down a comprised account in your organization?We use IronPort. LOL It sits behind FOPE and catches what FOPE can not. It also has much more robust message tracking and reporting.
3 aprilie 2012 21:19
Guess you are using FOPE for testing purposes? :-)
I am curious how most admins deal with accounts that have been compromised since all you get out of FOPE is the IP number of the server that SPAM is coming from. I am still amazed that there isn't a simpler way than wading through tons of logs in search of one account... :-(
9 mai 2012 17:22
There are actually ways to accomplish most of this to some extent
Note: This will require that you are using FOPE to route your outbound mail, by doing so you can setup BCC suspicious mail to a specific administrator or mail reviewer.
To do this, simply click the Administration Tab in the Administration Center, select the domain you wish to set this up on. Under domain settings (left side) click Edit beside Preferences and Enable outbound filtering and fill out the "BCC all suspicious outbound e-mails to the following e-mail address" . What this will do is provide the recipient a copy of anything FOPE's filtering servers find to be suspicious/spam like to that person. In addition it will be routed through a special group of servers in order to minimize possible impact of black listing/grey listing for legitimate mail.
Although you will not be able to generate a report that states specificly which mailboxes have been compromised you can get total counts of mail that was deemed suspicious, as well as a list of your top senders. If a sender is especially high, you can probably bet they were compromised
14 mai 2012 17:17
Thanks for the response. We have been sending outbound for about a month now and I do have the bcc enabled. Currently I am having an issue where we are getting hit with anywhere between 45GB to 70GB of email through one connection. I don't think this email is getting into the exchange environment. However it's driving me nuts because I can't track it down. I have an f5 in place and am in the process of setting up SNAT so hopefully this will help ID the offending account. Again, I am totally amazed at the lack of simple tools to track this stuff.