I'd agree, except that being able to do things like piping the live tail of a log into grep to filter for things like IP or certain strings just tickled me. Not sure that'd work with a gui.
________________________________ From: Sherry Abercrombie [mailto:[email protected]] Sent: Wednesday, July 22, 2009 12:31 PM To: MS-Exchange Admin Issues Subject: Re: 2k3 message tracking-Resolved I'm a reluctant *nix admin, so I'll take gui over command line any day. ;) On Wed, Jul 22, 2009 at 2:25 PM, Jason Gurtz <[email protected]> wrote: If you don't need a gui interface there's actually native ports (including installers and no Cygwin needed!) of most gnu utils available. Check out gnuwin32.sf.net, click packages and click grep. The only drawback I find is that using these tools inhibits my groking of powershell a bit since it's a throwing around text vs. throwing around objects situation. Whee! ~JasonG > -----Original Message----- > From: Sherry Abercrombie [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 15:10 > To: MS-Exchange Admin Issues > Subject: Re: 2k3 message tracking-Resolved > > LOL, well, usually only someone with *nix experience would even use the > word grep because most windows admins have no clue what grep is. Never > heard of this Windows Grep......off to Google to have a look at it. > > > On Wed, Jul 22, 2009 at 1:45 PM, <[email protected]> wrote: > > > Outlook 2007SP2 > Exchange 2003SP2 > Message was sent in plain text > > Where you are seeing strange code > > The top line was a path slash slash server slash windows slash > system32 slash logfiles slash w3svc1 > Next line was asterisk blinks asterisk > Next line after I hope so was three periods > Next line after Me was a spacedash > > Beats the heck out of me why it apostrophe s is being rendered > that way to you guys comma I have never seen this before period > > Putting this here so as not to chance adding another message of > doom to the list comma I said grep because I used a program called > Windows Grep to pull out the relevant bits from a massive log file smile > > > > -----Original Message----- > From: Micheal Espinola Jr [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 2:22 PM > To: MS-Exchange Admin Issues > > Subject: Re: 2k3 message tracking-Resolved > > > What are you using for a mailer? I'd love to know what makes > these > fantastic codes I keep seeing. > > -- > ME2 > > > > On Wed, Jul 22, 2009 at 2:00 PM, <[email protected]> > wrote: > > I've grepped out a bit of a log file from my +AFwAXA-server+AFw- > c+ACQAXA-WINDOWS+AFw-system32+AFw-LogFiles+AFw-W3SVC1 directory > > > > I can send you- My OWA session Logging on, creating and sending > a message and logging off. > > Let me know if it's ok to send to your vhcc.edu address. > > > > +ACo-blinks+ACo- > > > > neat and clear manner? I hope so+ICY- > > without HUGE sigs and disclaimers? Check. > > Graphics and other unnecessary additions? Check > > > > Me +IBM- > > list noob? Yep, been here for all of two months tomorrow. > > see inline graphics before? Yep. > > See complaints about inline graphics before today? Nope but duly > noted. > > > > reasonably spell checked? Check > > grammatically correct Nope. > > > > > > > > > > -----Original Message----- > > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> > <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- <mailto:gjohnson%252BAEA-vhcc.edu%252BAF0-> > > > Sent: Wednesday, July 22, 2009 11:07 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > I don't see anything referencing logins in the iis logs. Anyone > care to share what it looks like so I know what I'm searching for? > > Maybe I don't have the logging configured correctly or am not > looking for the right thing. > > All I see in the log is the get, search and propfind and search > verbs. > > > > -----Original Message----- > > From: Miller Bonnie L. +AFs-mailto:millerbl+AEA- <mailto:millerbl%2BAEA-> > mukilteo.wednet.edu+AF0- <mailto:millerbl%2BAEA- <mailto:millerbl%252BAEA-> > mukilteo.wednet.edu%2BAF0-> > > Sent: Wednesday, July 22, 2009 9:48 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > Can you find the logons in your server's IIS logs? I'm guessing > they are going to show a lot of activity if it came through via OWA. > > > > -Bonnie > > > > -----Original Message----- > > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> > <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0- <mailto:gjohnson%252BAEA-vhcc.edu%252BAF0-> > > > Sent: Wednesday, July 22, 2009 6:08 AM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking-Resolved > > > > Thanks to all for the suggestions. > > I finally had time to work on this more and found where the two > users had replied to phishing emails, provided their user name and > password. > > Looks like the phishers have a script that runs against owa and > sends out all the spam. > > The guilty users are being dealt with by their supervisors. I > suggested a clue-by-four upside the head as they been through security > training(twice) that addresses this exact issue. > > Oh well, job security. > > One last question. > > Is it possible to tell if the email were dumped into the > exchange server via owa or an outlook client. > > I'm not seeing any reference to Outlook in the messages so I'm > leaning towards OWA. > > > > -----Original Message----- > > From: Jason Gurtz +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- <mailto:jasongurtz%2BAEA-npumail.com%2BAF0-> > <mailto:jasongurtz%2BAEA-npumail.com%2BAF0- <mailto:jasongurtz%252BAEA-npumail.com%252BAF0-> > > > Sent: Tuesday, July 21, 2009 3:49 PM > > To: MS-Exchange Admin Issues > > Subject: RE: 2k3 message tracking > > > > +AD4- When I reset the password on the two accounts that were > sending all the > > +AD4- spam, it stopped and hasn+IBk-t returned so the only > conclusion I+IBk-ve come up > > +AD4- with is that these two accounts got their password stolen, > and then some > > +AD4- script or bot accessed their OWA account and sent all the > spam. > > +AD4- > > +AD4- Does that sound possible/logical? > > > > Sounds like the users where phished and from what I've heard, > this is very > > common at edu's. You might want to check out installing > something like > > Untangle which has an anti-phishing filter +ADw- > http://www.untangle.com/+AD4- in > > front of your mail server(s). > > > > If you're motivated enough to install a Linux based mail gateway > you may > > be > > able to use this nifty scanning software called Kochi which > actually tries > > to authenticate to your AD: > > +ADw-http://oss.lboro.ac.uk/kochi1.html+AD4- > > > > I guess there's some client based tools too to stem the flow of > passwords > > through the browser, check out the Wikipedia article for a list > of things > > to > > try: http://en.wikipedia.org/wiki/Anti-phishing+AF8-software > > > > +AH4-JasonG > > > > > > > > > > > > > > > > > > > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > Sent from Haslet, TX, United States -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States
