locked
Tracking comprimised accounts RRS feed

  • Question

  • Hi everyone,

    We just switched to FOPE (previously used M+ from Messaging Architects) and are
    using Exchange 2010 SPK1 with the latest rollup. I have two Edge Transport
    servers with FPE installed and I have FPE installed on my Hub Transport servers
    (without the SPAM feature enabled). Currently, I am not sending email back
    outbound through FOPE. I am still testing that part.

    I was surprised to find out that Microsoft does not have
    the ability to determine which user account is compromised and can only tell
    you the IP of the server (which is always one of the Edge Servers). Today I am researching
    how or what is the best way to track down an offending account that has been compromised
    say via phishing incident.

    How do most of you track down a comprised account in your
    organization?

    Thanks,

    Mike



    MRR

    Tuesday, March 20, 2012 2:23 PM

All replies

  • Well, I guess I will delete this post since no one has any answers. Interesting...


    MRR

    Tuesday, April 3, 2012 3:25 PM
  • How do most of you track down a comprised account in your organization?

    Thanks,

    Mike



    MRR

     We use IronPort. LOL It sits behind FOPE and catches what FOPE can not.  It also has much more robust message tracking and reporting.
    Tuesday, April 3, 2012 5:54 PM
  • Guess you are using FOPE for testing purposes? :-)

    I am curious how most admins deal with accounts that have been compromised since all you get out of FOPE is the IP number of the server that SPAM is coming from. I am still amazed that there isn't a simpler way than wading through tons of logs in search of one account... :-(



    MRR

    Tuesday, April 3, 2012 9:19 PM
  • There are actually ways to accomplish most of this to some extent

    Note: This will require that you are using FOPE to route your outbound mail, by doing so you can setup BCC suspicious mail to a specific administrator or mail reviewer.

    To do this, simply click the Administration Tab in the Administration Center, select the domain you wish to set this up on.  Under domain settings (left side) click Edit beside Preferences and Enable outbound filtering and fill out the "BCC all suspicious outbound e-mails to the following e-mail address" .  What this will do is provide the recipient a copy of anything FOPE's filtering servers find to be suspicious/spam like to that person.  In addition it will be routed through a special group of servers in order to minimize possible impact of black listing/grey listing for legitimate mail.

    Although you will not be able to generate a report that states specificly which mailboxes have been compromised you can get total counts of mail that was deemed suspicious, as well as a list of your top senders.  If a sender is especially high, you can probably bet they were compromised

    Wednesday, May 9, 2012 5:22 PM
  • Thanks for the response. We have been sending outbound for about a month now and I do have the bcc enabled. Currently I am having an issue where we are getting hit with anywhere between 45GB to 70GB of email through one connection. I don't think this email is getting into the exchange environment. However it's driving me nuts because I can't track it down. I have an f5 in place and am in the process of setting up SNAT so hopefully this will help ID the offending account. Again, I am totally amazed at the lack of simple tools to track this stuff.


    MRR

    Monday, May 14, 2012 5:17 PM