Yes the sent messages are on the two users sent item folder. Thousands of them.
From: [email protected] [mailto:[email protected]] Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved If they used the mailbox (Outlook or OWA) you'd see something in sent items. This telnet is from my workstation to one of our bridgeheads to a hotmail account. It isn’t in my sent items but the hotmail account got it. I’d guess the script used did the same thing, just a whole lot faster! . -----Original Message----- From: Glen Johnson [mailto:[email protected]] Sent: Wednesday, July 22, 2009 9:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -----Original Message----- From: Jason Gurtz [mailto:[email protected]] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking > When I reset the password on the two accounts that were sending all the > spam, it stopped and hasn’t returned so the only conclusion I’ve come up > with is that these two accounts got their password stolen, and then some > script or bot accessed their OWA account and sent all the spam. > > Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter <http://www.untangle.com/> in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: <http://oss.lboro.ac.uk/kochi1.html> I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
<<image001.jpg>>
