Remove From My Forums

Determining Email Source

Question
0

Sign in to vote

I have an Exchange 2010 installation and I have a bit of a problem. There is an email being sent from my Exchange box to a particular ip address very frequently. I can see the connection on my firewall logs and it appears in WireShark on the Exchange box. The problem is that I have no idea where it is originating from. The WireShark capture shows only binary data so I have no idea what it is. I am assuming it is a virus of some sort but I can find no viruses on my network.

Is there any way of determining which app it is coming from? Since it is going out on port 25, I am assuming that Exchange is the source but I really don't know.

Thanks

Friday, October 3, 2014 7:12 PM

Answers

0

Sign in to vote
Hi,

Based on my knowledge, some captures are seen in Wireshark and not in NetMon. More details to see following thread:

Wireshark v.s NetMon

https://social.msdn.microsoft.com/Forums/windowsdesktop/en-us/86c8614c-d0f1-42d0-814c-e85529964861/wireshark-vs-netmon?forum=netmon

According to your description, it seems you are suffering Spoof.

If it is the case, I suggst enable Anti-Spam and Anti-Malware. Also suggest configure SPF record. More details to see:

Description of Sender Policy Framework (SPF) records

http://support.microsoft.com/kb/2640313

Thanks
Mavis Huang
TechNet Community Support
- Marked as answer by Mavis_HuangModerator Wednesday, October 22, 2014 2:54 AM
Monday, October 20, 2014 6:01 AM

Moderator

All replies

0

Sign in to vote

You may have a look at Exchange Server User Monitor tool if it can help you. Down load it from here: http://www.microsoft.com/en-us/download/details.aspx?id=11461
Regards from ExchangeOnline.in|Windows Administrator Area | Skype:manuphilip@outlook.com

Friday, October 3, 2014 7:27 PM
0

Sign in to vote

Thanks for the link. I installed Exmon and tried it but I see no email movement through it. WireShark showed me a connection to that ip address but Exmon reported nothing.

As a test, I created and sent an email from my AD user through Exchange to an outside email server. Exmon didn't report that email, either. I saw it go with WireShark, but nothing in Exmon.

Saturday, October 4, 2014 3:01 AM
0

Sign in to vote
Hi,

Based on my knowledge, some captures are seen in Wireshark and not in NetMon. More details to see following thread:

Wireshark v.s NetMon

https://social.msdn.microsoft.com/Forums/windowsdesktop/en-us/86c8614c-d0f1-42d0-814c-e85529964861/wireshark-vs-netmon?forum=netmon

According to your description, it seems you are suffering Spoof.

If it is the case, I suggst enable Anti-Spam and Anti-Malware. Also suggest configure SPF record. More details to see:

Description of Sender Policy Framework (SPF) records

http://support.microsoft.com/kb/2640313

Thanks
Mavis Huang
TechNet Community Support
- Marked as answer by Mavis_HuangModerator Wednesday, October 22, 2014 2:54 AM
Monday, October 20, 2014 6:01 AM

Moderator