Outlook 2007SP2 Exchange 2003SP2 Message was sent in plain text Where you are seeing strange code
The top line was a path slash slash server slash windows slash system32 slash logfiles slash w3svc1 Next line was asterisk blinks asterisk Next line after I hope so was three periods Next line after Me was a spacedash Beats the heck out of me why it apostrophe s is being rendered that way to you guys comma I have never seen this before period Putting this here so as not to chance adding another message of doom to the list comma I said grep because I used a program called Windows Grep to pull out the relevant bits from a massive log file smile -----Original Message----- From: Micheal Espinola Jr [mailto:[email protected]] Sent: Wednesday, July 22, 2009 2:22 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved What are you using for a mailer? I'd love to know what makes these fantastic codes I keep seeing. -- ME2 On Wed, Jul 22, 2009 at 2:00 PM, <[email protected]> wrote: > I've grepped out a bit of a log file from my > +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 > directory > > I can send you- My OWA session Logging on, creating and sending a message and > logging off. > Let me know if it's ok to send to your vhcc.edu address. > > +ACo-blinks+ACo- > > neat and clear manner? I hope so+ICY- > without HUGE sigs and disclaimers? Check. > Graphics and other unnecessary additions? Check > > Me +IBM- > list noob? Yep, been here for all of two months tomorrow. > see inline graphics before? Yep. > See complaints about inline graphics before today? Nope but duly noted. > > reasonably spell checked? Check > grammatically correct Nope. > > > > > -----Original Message----- > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- > Sent: Wednesday, July 22, 2009 11:07 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > I don't see anything referencing logins in the iis logs. Anyone care to > share what it looks like so I know what I'm searching for? > Maybe I don't have the logging configured correctly or am not looking for the > right thing. > All I see in the log is the get, search and propfind and search verbs. > > -----Original Message----- > From: Miller Bonnie L. +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0- > Sent: Wednesday, July 22, 2009 9:48 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > Can you find the logons in your server's IIS logs? I'm guessing they are > going to show a lot of activity if it came through via OWA. > > -Bonnie > > -----Original Message----- > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- > Sent: Wednesday, July 22, 2009 6:08 AM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking-Resolved > > Thanks to all for the suggestions. > I finally had time to work on this more and found where the two users had > replied to phishing emails, provided their user name and password. > Looks like the phishers have a script that runs against owa and sends out all > the spam. > The guilty users are being dealt with by their supervisors. I suggested a > clue-by-four upside the head as they been through security training(twice) > that addresses this exact issue. > Oh well, job security. > One last question. > Is it possible to tell if the email were dumped into the exchange server via > owa or an outlook client. > I'm not seeing any reference to Outlook in the messages so I'm leaning > towards OWA. > > -----Original Message----- > From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- > Sent: Tuesday, July 21, 2009 3:49 PM > To: MS-Exchange Admin Issues > Subject: RE: 2k3 message tracking > > +AD4- When I reset the password on the two accounts that were sending all the > +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion > I+IBk-ve come up > +AD4- with is that these two accounts got their password stolen, and then some > +AD4- script or bot accessed their OWA account and sent all the spam. > +AD4- > +AD4- Does that sound possible/logical? > > Sounds like the users where phished and from what I've heard, this is very > common at edu's. You might want to check out installing something like > Untangle which has an anti-phishing filter +ADw-http://www.untangle.com/+AD4- > in > front of your mail server(s). > > If you're motivated enough to install a Linux based mail gateway you may > be > able to use this nifty scanning software called Kochi which actually tries > to authenticate to your AD: > +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- > > I guess there's some client based tools too to stem the flow of passwords > through the browser, check out the Wikipedia article for a list of things > to > try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software > > +AH4-JasonG > > > > > > >
