locked
Tracking sender of unsolicited spam email RRS feed

  • Question

  • Hi All,

    I had some bad emails going out through my Exchange 2007 server little over a week ago, and I need some help tracking down where the heck it came from.

    I have a single Exch2007 serverer with CAS/HUB/MBX roles on same server.
    Clients use Outlook 2010 - connected through LAN or VPN. We don't use RPC over HTTP/OutlookAnywhere.
    Users also have mobile devices using EAS.

    I can find the spam-messages in the MessageTracking logs, but they all have the same ClientIP - the Exchange server itself. So it looks like it didn't come from a compromised local computer. Can I be sure?

    So I thought it was sent through Webmail or ActiveSync, but my knowledge of the IIS-logs is limited. I tried to compare time-stamps but didn't really find anything useful.

    Any ideas about how to figure out how and where these mails were sent? Thanks everyone!


    UlleTheBulle

    Friday, November 6, 2015 8:19 AM

All replies

  • what does the mail header tell you the source IP is?

    its possible a client inside the network can make a direct telnet on port 25 to your exchange.

    Try it from a workstation:

    http://www.yuki-onna.co.uk/email/smtp.html

    Friday, November 6, 2015 9:12 AM
  • The mail header only shows the Exchange servers own IP. Same as the RECIEVE Event in the MsgTracking logs.

    Yes I can connect from a client PC using telnet, but I can only relay mails to internal recipients. If I try to set the recipient to an external address, I get "unable to relay".
    If I submit a test email to an internal recipient, the RECIEVE event in the MsgTracking logs shows the IP-address of the client computer.


    UlleTheBulle

    Friday, November 6, 2015 9:35 AM
  • ok so looks like its either OWA /AS or a workstation on your network, you would need to consult the IIS logs on the exchange for more information. Who is the sender? is it a user on your directory who has been spoofed? first step track down thier workstation and quarantine it to be sure.
    Friday, November 6, 2015 10:12 AM
  • The sender-address is a resource mailbox, not a regular heart-beat Users address. Only two Users have Send-as permissions to the mailbox.

    Yeah I want to track down the workstation, but that's a problem since I can't find out where the mail is sent from, and I don't know what to look for in the IISlogs.


    UlleTheBulle

    Friday, November 6, 2015 10:18 AM
  • its unlikely the resource mailbox has been enabled for OWA and activesync, in fact a resource mailbox usually has a disabled user account associated with it, i dont see how they would authenticate remotely.

    heres a test worth doing, try sending an email to yourself using telnet to the exchange server and specifying the sender as the email address of the resource mailbox, what happens?

    send email using telnet:

    http://www.yuki-onna.co.uk/email/smtp.html

    • Edited by Jon.Knight Friday, November 6, 2015 10:38 AM
    Friday, November 6, 2015 10:35 AM
  • True, but it was a bad choice of words on my part. It's a normal user mailbox, but one that does not belong to a Person, but is used to send and recieve mails from the occasional campaign.

    So OWA and EAS is enabled for the mailbox account.


    UlleTheBulle

    Friday, November 6, 2015 10:39 AM
  • do you have logging enabled on the client and default receive connector in exchange?
    Friday, November 6, 2015 10:45 AM
  • at the bottom of the email header do you see the exchange tags:

    X-MS-Exchange-Organization-AuthSource: mail.contoso.internal
    X-MS-Exchange-Organization-AuthAs: Internal
    X-MS-Exchange-Organization-AuthMechanism: 04
    X-Originating-IP: [192.168.0.27]
    X-Auto-Response-Suppress: DR, OOF, AutoReply

    Friday, November 6, 2015 10:49 AM
  • No logging on the recieve connectors :(

    UlleTheBulle

    Friday, November 6, 2015 11:53 AM