No Record of a email sent but can find it in the tracking log
-
Thursday, May 31, 2012 5:14 PM
Hey everyone,
Got something really weird going on. Was notified this morning at 0400 that forefront detected a virus, on one of my staff's mailboxes. See below…
Microsoft Forefront Protection for Exchange Server has detected a virus.
Virus name: "Trojan-Ransom.Win32.Gimemo.txy"
File name: "Kundigung.zip"
State: "Removed"
Subject line: "Deine Bestellung bei Flirt-Fever Peter Mller"
Sender: "XXXXXXXXXX.sdccd.edu”
Scan job: "Transport"
Location: "sdccd//XXXXX (SMTP Messages)"
We are an exchange 2010 sp2 ru2 shop, 3 cas, 2 hub, 3 mbx in a dag and 2 Public folder servers with about 5000 mailboxes. I then change the AD account password, did a Track log search on the EMC found the emails but when I logged into the mailbox in question could not find the emails in sent items, deleted items or recover deleted items. Did another EMC track for the whole month of May and found some suspicious emails that were in German. Tried to find them in the deleted items etc, did not then did a discovery search and here’s the weird thing they are not their either...have 30 day retention set.
Could they disappear? I thought you can’t delete email with the single item recovery enabled.
tiny- Edited by Tinyski Thursday, May 31, 2012 5:20 PM
All Replies
-
Friday, June 01, 2012 8:25 AM
hi,
>>>did a Track log search on the EMC found the emails
This is transport log, it isn't related to mail data. If the message has been delivered to your exchange, it will record in your tracking log.
If you use discovery search and also can't find the message, i think it has been deleted form your exchange, you nerver can find them.
>>>I thought you can’t delete email with the single item recovery enabled.
If the message time have exceed 14 days, exchange by default will delete it.
hope can help you
thanks,
CastinLu
TechNet Community Support
- Edited by Castinlu Friday, June 01, 2012 8:28 AM
-
Friday, June 01, 2012 4:20 PM
Thanks for the reply. I think you misunderstand. I CAN find that the email was SENT in the transport log for the user but the email is NOT in the sent items, deleted items, recover deleted items, or the dumpster (discovery search).
No mailbox’s are in the default Archive and Retention policy or the ArbitratrionMailbox Policy. We have no other archive policy. Deletion Settings on all Mailbox Dbases are 30 days for deleted items.
So how can it get deleted? Either I've got something misconfigured or someone is hacking...or there is a vunerability that Microsoft is not aware of.
tiny
-
Friday, June 01, 2012 5:05 PM
I think I figured it out...by looking at the messageid of all messages they are not from our system when a user sends an email. So I think they were authenticating to our server using the users passwrod and id and sending out the email without touching the mailbox....now this brings up a whole new problem how do they do that?
Think it really simple with the smtp auth command...
our messageid:
2F7A5AC29315BC43B24CA40107FEFDB20B00FD@XXXXX3.XXXX.loc
Message id of the spam:
<CHILKAT-MID-69320420-5400-f7b2-cf8e-de93bd371389@server-etruria.etruria.local>
-
Monday, June 04, 2012 8:04 AM
hi,
>>>now this brings up a whole new problem how do they do that?
I wonder that where id the message delivered to? Your another exchange user or not your exchange mailbox?
Do you enable relay for some app or other mail system?
Run the cmd:get-receiveconnector | FL
How many receive connectors do you have?
Or i think some one use the telnet cmd to send a mail to your exchange account.
thanks,
CastinLu
TechNet Community Support
-
Monday, June 04, 2012 4:49 PM
We only have recieve connector to from extrenal smtp gateways not to any other application.
Yes I tested it with the telnet command and it worked using the smtp auth command in the smtp conversation and they are not sending to us it is but are by passing the maibox...and send it out to differnet persons in Germany.
-
Tuesday, June 05, 2012 1:45 AM
hi,
What's the address that you enter in rcpt to when you use telnet? Do you have the mailbox that you send to in your ORG?
thanks,
CastinLu
TechNet Community Support
.png)
