Who is sending more messages
Dear All,
We are facing problem, our domain is going to block everyday due to spam mails. can anyone please tell me that how can we catch the user who is sending more messages? is there any report or log viewer available in exchange server 2010.
i checked in performance monitor but the counter info is not usefull i can not catch the user.
Thanks
Agha
January 23rd, 2012 1:36am
Domains are not blacklisted, IP addresses are.
It is very unlikely the email is being sent through Exchange. If it was, you would see the messages in your queue viewer because the lists that the spammers use are not clean.
The most likely scenario is that a workstation has been compromised and is sending out email directly, not through Exchange. The quickest way to find the compromised workstation is to block port 25 outbound on your firewall for everything but Exchange and
then watch the logs. A workstation that is trying to send email will quickly show up and you can find the machine and deal with it.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2012 6:43am
To be honest, Sembee, it really depends on your user base. Ours is notorious for doing all kinds of crazy things - even posting their own usernames and passwords on A4 sheets of paper in lecture rooms and labs for guests and students to log on with
(it really is quite bewildering).
Subsequently, with such a poor grasp of account security, this translates into a modest number of compromised accounts which are then exploited through automation via OWA. (More a reflection of poor password settings than the A4 pieces of paper)
Getting back to your question, Agha, how do we tell if there's potentially been issues? Well, the answer is primitive, but we tend to check the most frequent sending addresses with something like the following Powershell statement which we run on the Edge
Transport:
Get-MessageTrackingLog -Start "23/01/2012" -EventId SEND | where {($_.Sender -match "@ourDomain.edu.au") } | Group-Object -Property Sender | Sort-Object -Property Count -Descending | where {$_.Count -gt 4}
This is all meant to be one line, by the way. Be careful of any forum word wrapping.
Anyway, this gives us a basis for looking into suspected spam issues. From this list we can quickly identify who might have been responsible for the previous evening's 65,000 spam messages (since we can have up to 40 recipients per e-mail). At that point
we'll run something like:
Get-MessageTrackingLog -Start "01/23/2012" -Sender lain.robertson@ourDomain.edu.au -EventId SUBMIT | fl Timestamp,Sender,MessageSubject,SourceContext
What we're looking for in here is really the SourceContent containing the ClientType:MOMT or ClientType:OWA tag. At that point, if it's OWA, we disable OWA and ActiveSync on the account and get in touch with the user to let them know we need them to reset their
password. Assuming it's not a compromised home computer, we usually don't hear from them again.
In any case, both diagnostic options cover two mutually exclusive scenarios, so Agha, you'd do well to look at all avenues (including ones we haven't mentioned).
Cheers,
Lain
January 23rd, 2012 8:51am
Thanks for your response.
Regard,
Agha
Free Windows Admin Tool Kit Click here and download it now
January 23rd, 2012 10:04am
Domains are not blacklisted, IP addresses are.
It is very unlikely the email is being sent through Exchange. If it was, you would see the messages in your queue viewer because the lists that the spammers use are not clean.
The most likely scenario is that a workstation has been compromised and is sending out email directly, not through Exchange. The quickest way to find the compromised workstation is to block port 25 outbound on your firewall for everything but Exchange and
then watch the logs. A workstation that is trying to send email will quickly show up and you can find the machine and deal with it.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
January 23rd, 2012 2:35pm