Answered by:
Determining Email Source

Question
-
I have an Exchange 2010 installation and I have a bit of a problem. There is an email being sent from my Exchange box to a particular ip address very frequently. I can see the connection on my firewall logs and it appears in WireShark on the Exchange box. The problem is that I have no idea where it is originating from. The WireShark capture shows only binary data so I have no idea what it is. I am assuming it is a virus of some sort but I can find no viruses on my network.
Is there any way of determining which app it is coming from? Since it is going out on port 25, I am assuming that Exchange is the source but I really don't know.
Thanks
Friday, October 3, 2014 7:12 PM
Answers
-
Hi,
Based on my knowledge, some captures are seen in Wireshark and not in NetMon. More details to see following thread:
Wireshark v.s NetMon
According to your description, it seems you are suffering Spoof.
If it is the case, I suggst enable Anti-Spam and Anti-Malware. Also suggest configure SPF record. More details to see:
Description of Sender Policy Framework (SPF) records
http://support.microsoft.com/kb/2640313
Thanks
Mavis Huang
TechNet Community Support- Marked as answer by Mavis_HuangModerator Wednesday, October 22, 2014 2:54 AM
Monday, October 20, 2014 6:01 AMModerator
All replies
-
You may have a look at Exchange Server User Monitor tool if it can help you. Down load it from here: http://www.microsoft.com/en-us/download/details.aspx?id=11461
Regards from ExchangeOnline.in|Windows Administrator Area | Skype:manuphilip@outlook.com
Friday, October 3, 2014 7:27 PM -
Thanks for the link. I installed Exmon and tried it but I see no email movement through it. WireShark showed me a connection to that ip address but Exmon reported nothing.
As a test, I created and sent an email from my AD user through Exchange to an outside email server. Exmon didn't report that email, either. I saw it go with WireShark, but nothing in Exmon.
Saturday, October 4, 2014 3:01 AM -
Hi,
Based on my knowledge, some captures are seen in Wireshark and not in NetMon. More details to see following thread:
Wireshark v.s NetMon
According to your description, it seems you are suffering Spoof.
If it is the case, I suggst enable Anti-Spam and Anti-Malware. Also suggest configure SPF record. More details to see:
Description of Sender Policy Framework (SPF) records
http://support.microsoft.com/kb/2640313
Thanks
Mavis Huang
TechNet Community Support- Marked as answer by Mavis_HuangModerator Wednesday, October 22, 2014 2:54 AM
Monday, October 20, 2014 6:01 AMModerator