You have to be joking! Jason G. help him...
-- Peter van Houten On the 22/07/2009 15:48, [email protected] wrote the following:
+ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, div.MsoNormal +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed +AHs-mso-style-priority:99+ADs- color:purple+ADs- text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, div.MsoPlainText +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent items but the hotmail account got it. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-.+ADw-img width+AD0-383 height+AD0-242 id+AD0AIg-Picture+AF8-x0020+AF8-1+ACI- src+AD0AIg-cid:image003.jpg+AEA-01CA0AB1.8E1A0700+ACIAPgA8-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4------Original Message-----+ADw-br+AD4- From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- +ADw-br+AD4- Sent: Wednesday, July 22, 2009 9:08 AM+ADw-br+AD4- To: MS-Exchange Admin Issues+ADw-br+AD4- Subject: RE: 2k3 message tracking-Resolved+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Thanks to all for the suggestions.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Looks like the phishers have a script that runs against owa and sends out all the spam.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-The guilty users are being dealt with by their supervisors.+ACY-nbsp+ADs- I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Oh well, job security.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-One last question.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4------Original Message-----+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Sent: Tuesday, July 21, 2009 3:49 PM+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-To: MS-Exchange Admin Issues+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Subject: RE: 2k3 message tracking+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- When I reset the password on the two accounts that were sending all the+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- spam, it stopped and hasn+IBk-t returned so the only conclusion I+IBk-ve come up+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- with is that these two accounts got their password stolen, and then some+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- script or bot accessed their OWA account and sent all the spam.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADsAPA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- Does that sound possible/logical?+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Sounds like the users where phished and from what I've heard, this is very+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-common at edu's.+ACY-nbsp+ADs- You might want to check out installing something like +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-Untangle which has an anti-phishing filter +ACY-lt+ADs-http://www.untangle.com/+ACY-gt+ADs- in +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-front of your mail server(s).+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-If you're motivated enough to install a Linux based mail gateway you may+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-be +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-able to use this nifty scanning software called Kochi which actually tries+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-to authenticate to your AD:+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4AJg-lt+ADs-http://oss.lboro.ac.uk/kochi1.html+ACY-gt+ADsAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-I guess there's some client based tools too to stem the flow of passwords +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-through the browser, check out the Wikipedia article for a list of things+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-to +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4-try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4Afg-JasonG+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-p class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA-/p+AD4- +ADw-/div+AD4- +ADw-/body+AD4- +ADw-/html+AD4-
