I really really dislike vi, really I do. On Wed, Jul 22, 2009 at 3:30 PM, Don Andrews <[email protected]>wrote:
> Yup, grep is quite a tool if not meaningfully named – like vi – at least > tail gives you a clue. > > > ------------------------------ > > *From:* Sherry Abercrombie [mailto:[email protected]] > *Sent:* Wednesday, July 22, 2009 12:10 PM > *To:* MS-Exchange Admin Issues > *Subject:* Re: 2k3 message tracking-Resolved > > > > LOL, well, usually only someone with *nix experience would even use the > word grep because most windows admins have no clue what grep is. Never > heard of this Windows Grep......off to Google to have a look at it. > > On Wed, Jul 22, 2009 at 1:45 PM, <[email protected]> wrote: > > Outlook 2007SP2 > Exchange 2003SP2 > Message was sent in plain text > > Where you are seeing strange code > > The top line was a path slash slash server slash windows slash system32 > slash logfiles slash w3svc1 > Next line was asterisk blinks asterisk > Next line after I hope so was three periods > Next line after Me was a spacedash > > Beats the heck out of me why it apostrophe s is being rendered that way to > you guys comma I have never seen this before period > > Putting this here so as not to chance adding another message of doom to the > list comma I said grep because I used a program called Windows Grep to pull > out the relevant bits from a massive log file smile > > > > -----Original Message----- > From: Micheal Espinola Jr [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 2:22 PM > To: MS-Exchange Admin Issues > > Subject: Re: 2k3 message tracking-Resolved > > What are you using for a mailer? I'd love to know what makes these > fantastic codes I keep seeing. > > -- > ME2 > > > > On Wed, Jul 22, 2009 at 2:00 PM, <[email protected]> wrote: > > I've grepped out a bit of a log file from my > +AFwAXA-server+AFw-c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 > directory > > > > I can send you- My OWA session Logging on, creating and sending a message > and logging off. > > Let me know if it's ok to send to your vhcc.edu address. > > > > +ACo-blinks+ACo- > > > > neat and clear manner? I hope so+ICY- > > without HUGE sigs and disclaimers? Check. > > Graphics and other unnecessary additions? Check > > > > Me +IBM- > > list noob? Yep, been here for all of two months tomorrow. > > see inline graphics before? Yep. > > See complaints about inline graphics before today? Nope but duly noted. > > > > reasonably spell checked? Check > > grammatically correct Nope. > > > > > > > > > > -----Original Message----- > > From: Glen Johnson > > +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-<gjohnson%2BAEA-vhcc.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 11:07 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > I don't see anything referencing logins in the iis logs. Anyone care to > share what it looks like so I know what I'm searching for? > > Maybe I don't have the logging configured correctly or am not looking for > the right thing. > > All I see in the log is the get, search and propfind and search verbs. > > > > -----Original Message----- > > From: Miller Bonnie L. > > +AFs-mailto:millerbl+AEA-mukilteo.wednet.edu+AF0-<millerbl%2BAEA-mukilteo.wednet.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 9:48 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > Can you find the logons in your server's IIS logs? I'm guessing they are > going to show a lot of activity if it came through via OWA. > > > > -Bonnie > > > > -----Original Message----- > > From: Glen Johnson > > +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0-<gjohnson%2BAEA-vhcc.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 6:08 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > Thanks to all for the suggestions. > > I finally had time to work on this more and found where the two users had > replied to phishing emails, provided their user name and password. > > Looks like the phishers have a script that runs against owa and sends out > all the spam. > > The guilty users are being dealt with by their supervisors. I suggested > a clue-by-four upside the head as they been through security training(twice) > that addresses this exact issue. > > Oh well, job security. > > One last question. > > Is it possible to tell if the email were dumped into the exchange server > via owa or an outlook client. > > I'm not seeing any reference to Outlook in the messages so I'm leaning > towards OWA. > > > > -----Original Message----- > > From: Jason Gurtz > > +AFs-mailto:jasongurtz+AEA-npumail.com+AF0-<jasongurtz%2BAEA-npumail.com%2BAF0-> > > Sent: Tuesday, July 21, 2009 3:49 PM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking > > > > +AD4- When I reset the password on the two accounts that were sending all > the > > +AD4- spam, it stopped and hasn+IBk-t returned so the only conclusion > I+IBk-ve come up > > +AD4- with is that these two accounts got their password stolen, and then > some > > +AD4- script or bot accessed their OWA account and sent all the spam. > > +AD4- > > +AD4- Does that sound possible/logical? > > > > Sounds like the users where phished and from what I've heard, this is > very > > common at edu's. You might want to check out installing something like > > Untangle which has an anti-phishing filter +ADw- > http://www.untangle.com/+AD4- in > > front of your mail server(s). > > > > If you're motivated enough to install a Linux based mail gateway you may > > be > > able to use this nifty scanning software called Kochi which actually > tries > > to authenticate to your AD: > > +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- > > > > I guess there's some client based tools too to stem the flow of passwords > > through the browser, check out the Wikipedia article for a list of things > > to > > try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software > > > > +AH4-JasonG > > > > > > > > > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > Sent from Haslet, TX, United States > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States
