Sure thing. I'd appreciate seeing the log of a session. Glen. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, July 22, 2009 2:01 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved
I've grepped out a bit of a log file from my \\server\c$\WINDOWS\system32\LogFiles\W3SVC1 directory I can send you- My OWA session Logging on, creating and sending a message and logging off. Let me know if it's ok to send to your vhcc.edu address. *blinks* neat and clear manner? I hope so… without HUGE sigs and disclaimers? Check. Graphics and other unnecessary additions? Check Me – list noob? Yep, been here for all of two months tomorrow. see inline graphics before? Yep. See complaints about inline graphics before today? Nope but duly noted. reasonably spell checked? Check grammatically correct Nope. -----Original Message----- From: Glen Johnson [mailto:[email protected]] Sent: Wednesday, July 22, 2009 11:07 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved I don't see anything referencing logins in the iis logs. Anyone care to share what it looks like so I know what I'm searching for? Maybe I don't have the logging configured correctly or am not looking for the right thing. All I see in the log is the get, search and propfind and search verbs. -----Original Message----- From: Miller Bonnie L. [mailto:[email protected]] Sent: Wednesday, July 22, 2009 9:48 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Can you find the logons in your server's IIS logs? I'm guessing they are going to show a lot of activity if it came through via OWA. -Bonnie -----Original Message----- From: Glen Johnson [mailto:[email protected]] Sent: Wednesday, July 22, 2009 6:08 AM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking-Resolved Thanks to all for the suggestions. I finally had time to work on this more and found where the two users had replied to phishing emails, provided their user name and password. Looks like the phishers have a script that runs against owa and sends out all the spam. The guilty users are being dealt with by their supervisors. I suggested a clue-by-four upside the head as they been through security training(twice) that addresses this exact issue. Oh well, job security. One last question. Is it possible to tell if the email were dumped into the exchange server via owa or an outlook client. I'm not seeing any reference to Outlook in the messages so I'm leaning towards OWA. -----Original Message----- From: Jason Gurtz [mailto:[email protected]] Sent: Tuesday, July 21, 2009 3:49 PM To: MS-Exchange Admin Issues Subject: RE: 2k3 message tracking > When I reset the password on the two accounts that were sending all the > spam, it stopped and hasn’t returned so the only conclusion I’ve come up > with is that these two accounts got their password stolen, and then some > script or bot accessed their OWA account and sent all the spam. > > Does that sound possible/logical? Sounds like the users where phished and from what I've heard, this is very common at edu's. You might want to check out installing something like Untangle which has an anti-phishing filter <http://www.untangle.com/> in front of your mail server(s). If you're motivated enough to install a Linux based mail gateway you may be able to use this nifty scanning software called Kochi which actually tries to authenticate to your AD: <http://oss.lboro.ac.uk/kochi1.html> I guess there's some client based tools too to stem the flow of passwords through the browser, check out the Wikipedia article for a list of things to try: http://en.wikipedia.org/wiki/Anti-phishing_software ~JasonG
