RE: Need Detective Help on Exchange Error

Fri, 16 Aug 2002 08:41:43 -0700 

Consider whether that isn't probably a Klez-type message coming from
elsewhere and spoofing your addresses?


-----Original Message-----
From: Tom Gilbert [mailto:[EMAIL PROTECTED]] 
Sent: Friday, August 16, 2002 8:12 AM
To: Exchange Discussions
Subject: Need Detective Help on Exchange Error


This is driving me crazy. I have tried to figure this out by the logs
but I cannot.  
Please look at this and my logic and tell me if this makes sense
or do I need to turn something else on to figure this out.


A.      Every morning I as Exchange admin I get three Noticifications of
e-mail failures, two inbound and one outbound
I believe these are a virus or worm, but I cannot figure out which
machine to check
The messages all reference either [EMAIL PROTECTED] (which is Host
unknown)
or [EMAIL PROTECTED]

========================================================================
===
TEXT OF MESSAGES
************************************************************************
***
Notification Inbound Failure

The following recipients did not receive the attached mail. Reasons are
listed with each recipient:

<[EMAIL PROTECTED]> [EMAIL PROTECTED]
        MSEXCH:IMS:Schwartz Engineering:DILBERT:SECESERV 3902 (000B099C)
Host Unknown

************************************************************************
***
Notice Outbound Failure
A mail message could not be sent because the following host is unknown:

        fre.sg.co.nz
The message that caused this notification was:


      To:       <[EMAIL PROTECTED]>
      From:     <>
      Subject:  Undeliverable: dch`cii`che`h.hf`cjb`cdg`dbk.(
_(bc_`$%'$` &
************************************************************************
***
Notification Inbound Failure
The following recipients did not receive the attached mail. Reasons are
listed with each recipient:

<[EMAIL PROTECTED]> [EMAIL PROTECTED]
        MSEXCH:IMS:Schwartz Engineering:DILBERT:SECESERV 0 (000C05A6)
Unknown Recipient

The message that caused this notification was:

========================================================================
===

B.      I have checked my tracking logs and these bad addresses show up
in five records
        1012 - 1017 - 1010 - 1018 - 1018

>From the MS information

1012 = SMTP Received
1017 = SMTP Report Generated
1010 = SMTP Queued Outbound
1018 = SMTP Report Absorbed

C.      I think I am only interested in tracking something going out as
the infected machine is trying 
everyday to send a message to the bad address.

D.      So I look at the logs for the 1010 records

E.      I understand from MS each field has a meaning (and unfortunately
some can be blank)

F.      LOG FILES - I am listing two 1010 records - one badnews and one
OK
        I have tried to separate the fields by returns
        But I still cannot tell what computer, user is making the SMTP
send to queue request. 

LOG FILES RECORDS
========================================================================
===
BAD             c=US;a= ;p=Schwartz Enginee;l=SECESERV0208152225210117
                1010
                2002.8.15 22:25:30
                /o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail
Connector (SECESERV)
                /o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail
Connector (SECESERV)
                <31A683549218D5119F2E00902717262F4DF4B3@seceserv>
[QZK2WG35]
(Originator?)   ++MISSING FIELD?++
                0
                1986
                0
                0
                1
                [EMAIL PROTECTED]

GOOD            c=US;a= ;p=Schwartz Enginee;l=SECESERV-020815070819Z-723
                1010
                2002.8.15 7:8:26
                /o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail
Connector (SECESERV)
                /o=Schwartz
Engineering/ou=DILBERT/cn=Configuration/cn=Connections/cn=Internet Mail
Connector (SECESERV)
                <31A683549218D5119F2E00902717262F391F1F@seceserv>
[QZK2WGJN]
(Originator)    /O=SCHWARTZ
ENGINEERING/OU=DILBERT/CN=RECIPIENTS/CN=MGIRPS
                0
                1069
                0
                0
                1
                [EMAIL PROTECTED]

========================================================================
===
Any help would be great - I really want to stop this...
TIA-TOMG
_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Archives:               http://www.swynk.com/sitesearch/search.asp
To unsubscribe:         mailto:[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]

Reply via email to