This is driving me crazy. I have tried to figure this out by the logs but I cannot.
Please look at this and my logic and tell me if this makes sense
or do I need to turn something else on to figure this out.
A. Every morning I as Exchange admin I get three Noticifications of e-mail
failures, two inbound and one outbound
I believe these are a virus or worm, but I cannot figure out which machine to check
The messages all reference either [EMAIL PROTECTED] (which is Host unknown)
or [EMAIL PROTECTED]
===========================================================================
TEXT OF MESSAGES
***************************************************************************
Notification Inbound Failure
The following recipients did not receive the attached mail. Reasons are listed with
each recipient:
<[EMAIL PROTECTED]> [EMAIL PROTECTED]
MSEXCH:IMS:Schwartz Engineering:DILBERT:SECESERV 3902 (000B099C) Host Unknown
***************************************************************************
Notice Outbound Failure
A mail message could not be sent because the following host is unknown:
fre.sg.co.nz
The message that caused this notification was:
To: <[EMAIL PROTECTED]>
From: <>
Subject: Undeliverable: dch`cii`che`h.hf`cjb`cdg`dbk.(� _��(��bc_��`$���%��'$�`
�&
***************************************************************************
Notification Inbound Failure
The following recipients did not receive the attached mail. Reasons are listed with
each recipient:
<[EMAIL PROTECTED]> [EMAIL PROTECTED]
MSEXCH:IMS:Schwartz Engineering:DILBERT:SECESERV 0 (000C05A6) Unknown Recipient
The message that caused this notification was:
===========================================================================
B. I have checked my tracking logs and these bad addresses show up in five records
1012 - 1017 - 1010 - 1018 - 1018
>From the MS information
1012 = SMTP Received
1017 = SMTP Report Generated
1010 = SMTP Queued Outbound
1018 = SMTP Report Absorbed
C. I think I am only interested in tracking something going out as the infected
machine is trying
everyday to send a message to the bad address.
D. So I look at the logs for the 1010 records
E. I understand from MS each field has a meaning (and unfortunately some can be
blank)
F. LOG FILES - I am listing two 1010 records - one badnews and one OK
I have tried to separate the fields by returns
But I still cannot tell what computer, user is making the SMTP send to queue
request.
LOG FILES RECORDS
===========================================================================
BAD c=US;a= ;p=Schwartz Enginee;l=SECESERV0208152225210117
1010
2002.8.15 22:25:30
/o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail Connector
(SECESERV)
/o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail Connector
(SECESERV)
<31A683549218D5119F2E00902717262F4DF4B3@seceserv> [QZK2WG35]
(Originator?) ++MISSING FIELD?++
0
1986
0
0
1
[EMAIL PROTECTED]
GOOD c=US;a= ;p=Schwartz Enginee;l=SECESERV-020815070819Z-723
1010
2002.8.15 7:8:26
/o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail Connector
(SECESERV)
/o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail Connector
(SECESERV)
<31A683549218D5119F2E00902717262F391F1F@seceserv> [QZK2WGJN]
(Originator) /O=SCHWARTZ ENGINEERING/OU=DILBERT/CN=RECIPIENTS/CN=MGIRPS
0
1069
0
0
1
[EMAIL PROTECTED]
===========================================================================
Any help would be great - I really want to stop this...
TIA-TOMG
_________________________________________________________________
List posting FAQ: http://www.swinc.com/resource/exch_faq.htm
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe: mailto:[EMAIL PROTECTED]
Exchange List admin: [EMAIL PROTECTED]
