Based on the grep statement, I would guess it's a *nix based email application, but that's just a guess.
On Wed, Jul 22, 2009 at 1:22 PM, Micheal Espinola Jr < [email protected]> wrote: > What are you using for a mailer? I'd love to know what makes these > fantastic codes I keep seeing. > > -- > ME2 > > > > On Wed, Jul 22, 2009 at 2:00 PM, <[email protected]> wrote: > > I've grepped out a bit of a log file from my > +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 > directory > > > > I can send you- My OWA session Logging on, creating and sending a message > and logging off. > > Let me know if it's ok to send to your vhcc.edu address. > > > > +ACo-blinks+ACo- > > > > neat and clear manner? I hope so+ICY- > > without HUGE sigs and disclaimers? Check. > > Graphics and other unnecessary additions? Check > > > > Me +IBM- > > list noob? Yep, been here for all of two months tomorrow. > > see inline graphics before? Yep. > > See complaints about inline graphics before today? Nope but duly noted. > > > > reasonably spell checked? Check > > grammatically correct Nope. > > > > > > > > > > -----Original Message----- > > From: Glen Johnson > > +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-<gjohnson%2BAEA-vhcc.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 11:07 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > I don't see anything referencing logins in the iis logs. Anyone care to > share what it looks like so I know what I'm searching for? > > Maybe I don't have the logging configured correctly or am not looking for > the right thing. > > All I see in the log is the get, search and propfind and search verbs. > > > > -----Original Message----- > > From: Miller Bonnie L. > > +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-<millerbl%2BAEA-mukilteo.wednet.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 9:48 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > Can you find the logons in your server's IIS logs? I'm guessing they are > going to show a lot of activity if it came through via OWA. > > > > -Bonnie > > > > -----Original Message----- > > From: Glen Johnson > > +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-<gjohnson%2BAEA-vhcc.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 6:08 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > Thanks to all for the suggestions. > > I finally had time to work on this more and found where the two users had > replied to phishing emails, provided their user name and password. > > Looks like the phishers have a script that runs against owa and sends out > all the spam. > > The guilty users are being dealt with by their supervisors. I suggested > a clue-by-four upside the head as they been through security training(twice) > that addresses this exact issue. > > Oh well, job security. > > One last question. > > Is it possible to tell if the email were dumped into the exchange server > via owa or an outlook client. > > I'm not seeing any reference to Outlook in the messages so I'm leaning > towards OWA. > > > > -----Original Message----- > > From: Jason Gurtz > > +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-<jasongurtz%2BAEA-npumail.com%2BAF0-> > > Sent: Tuesday, July 21, 2009 3:49 PM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking > > > > +AD4- When I reset the password on the two accounts that were sending all > the > > +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion > I+IBk-ve come up > > +AD4- with is that these two accounts got their password stolen, and then > some > > +AD4- script or bot accessed their OWA account and sent all the spam. > > +AD4- > > +AD4- Does that sound possible/logical? > > > > Sounds like the users where phished and from what I've heard, this is > very > > common at edu's. You might want to check out installing something like > > Untangle which has an anti-phishing filter +ADw- > http://www.untangle.com/+AD4- in > > front of your mail server(s). > > > > If you're motivated enough to install a Linux based mail gateway you may > > be > > able to use this nifty scanning software called Kochi which actually > tries > > to authenticate to your AD: > > +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- > > > > I guess there's some client based tools too to stem the flow of passwords > > through the browser, check out the Wikipedia article for a list of things > > to > > try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software > > > > +AH4-JasonG > > > > > > > > > > > > > > > > > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke
