Looks like it. The next step would be the edge server logs. From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, June 16, 2010 8:10 AM To: MS-Exchange Admin Issues Subject: RE: Tracking Down Spam Source
I wasn't familiar with those (told you I'm not an Exchange expert!), so I Google'd them and found that it's not enabled by default. I did find it enabled on one of our connectors on our Core server, though, and found what's below. Which, if I'm reading it right, says that our core server (.25) received the message from our Edge server (.27) rather than vice versa. So that would indicate that the message came from outside of our network, right? The Edge server received it from somewhere else, then passed it on to the Core server? 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,0,10.11.1.25:25,10.11.1.27:52804,+,, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,1,10.11.1.25:25,10.11.1.27:52804,*,None,Set Session Permissions 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,2,10.11.1.25:25,10.11.1.27:52804,>,"220 Exchange-Core.taylor.k12.fl.us Microsoft ESMTP MAIL Service ready at Tue, 15 Jun 2010 18:32:58 -0400", 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,3,10.11.1.25:25,10.11.1.27:52804,<,EHLO Exchange-Edge.taylor.k12.fl.us, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,4,10.11.1.25:25,10.11.1.27:52804,>,250-Exchange-Core.taylor.k12.fl.us Hello [10.11.1.27], 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,5,10.11.1.25:25,10.11.1.27:52804,>,250-SIZE, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,6,10.11.1.25:25,10.11.1.27:52804,>,250-PIPELINING, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,7,10.11.1.25:25,10.11.1.27:52804,>,250-DSN, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,8,10.11.1.25:25,10.11.1.27:52804,>,250-ENHANCEDSTATUSCODES, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,9,10.11.1.25:25,10.11.1.27:52804,>,250-STARTTLS, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,10,10.11.1.25:25,10.11.1.27:52804,>,250-X-ANONYMOUSTLS, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,11,10.11.1.25:25,10.11.1.27:52804,>,250-AUTH NTLM, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,12,10.11.1.25:25,10.11.1.27:52804,>,250-X-EXPS GSSAPI NTLM, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,13,10.11.1.25:25,10.11.1.27:52804,>,250-8BITMIME, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,14,10.11.1.25:25,10.11.1.27:52804,>,250-BINARYMIME, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,15,10.11.1.25:25,10.11.1.27:52804,>,250-CHUNKING, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,16,10.11.1.25:25,10.11.1.27:52804,>,250-XEXCH50, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,17,10.11.1.25:25,10.11.1.27:52804,>,250 XRDST, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,18,10.11.1.25:25,10.11.1.27:52804,<,X-ANONYMOUSTLS, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,19,10.11.1.25:25,10.11.1.27:52804,>,220 2.0.0 SMTP server ready, 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,20,10.11.1.25:25,10.11.1.27:52804,*,,Sending certificate 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,21,10.11.1.25:25,10.11.1.27:52804,*,CN=Exchange-Core,Certificate subject 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,22,10.11.1.25:25,10.11.1.27:52804,*,CN=Exchange-Core,Certificate issuer name 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,23,10.11.1.25:25,10.11.1.27:52804,*,76D3561434AE62994B68D1C7F5B2C36F,Certificate serial number 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,24,10.11.1.25:25,10.11.1.27:52804,*,002CDBBC5FE11641579E9E6993CA8A4D5BCCCCA4,Certificate thumbprint 2010-06-15T22:32:59.687Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,25,10.11.1.25:25,10.11.1.27:52804,*,Exchange-Core;Exchange-Core.taylor.k12.fl.us,Certificate alternate names 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,26,10.11.1.25:25,10.11.1.27:52804,*,,Received certificate 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,27,10.11.1.25:25,10.11.1.27:52804,*,A96C633400B94A52DDE357FB64DBAECC5A69F50C,Certificate thumbprint 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,28,10.11.1.25:25,10.11.1.27:52804,*,,Received DirectTrust certificate 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,29,10.11.1.25:25,10.11.1.27:52804,*,CN=Exchange-Edge,Certificate subject 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,30,10.11.1.25:25,10.11.1.27:52804,*,CN=Exchange-Edge,Certificate issuer name 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,31,10.11.1.25:25,10.11.1.27:52804,*,0FC7305E5F5F3A8B428C7735875E4E08,Certificate serial number 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,32,10.11.1.25:25,10.11.1.27:52804,*,A96C633400B94A52DDE357FB64DBAECC5A69F50C,Certificate thumbprint 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,33,10.11.1.25:25,10.11.1.27:52804,*,Exchange-Edge;Exchange-Edge.taylor.k12.fl.us,Certificate alternate names 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,34,10.11.1.25:25,10.11.1.27:52804,*,SMTPSubmit SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders,Set Session Permissions 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,35,10.11.1.25:25,10.11.1.27:52804,<,EHLO Exchange-Edge.taylor.k12.fl.us, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,36,10.11.1.25:25,10.11.1.27:52804,>,250-Exchange-Core.taylor.k12.fl.us Hello [10.11.1.27], 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,37,10.11.1.25:25,10.11.1.27:52804,>,250-SIZE, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,38,10.11.1.25:25,10.11.1.27:52804,>,250-PIPELINING, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,39,10.11.1.25:25,10.11.1.27:52804,>,250-DSN, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,40,10.11.1.25:25,10.11.1.27:52804,>,250-ENHANCEDSTATUSCODES, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,41,10.11.1.25:25,10.11.1.27:52804,>,250-AUTH NTLM, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,42,10.11.1.25:25,10.11.1.27:52804,>,250-X-EXPS EXCHANGEAUTH GSSAPI NTLM, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,43,10.11.1.25:25,10.11.1.27:52804,>,250-X-EXCHANGEAUTH SHA256, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,44,10.11.1.25:25,10.11.1.27:52804,>,250-8BITMIME, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,45,10.11.1.25:25,10.11.1.27:52804,>,250-BINARYMIME, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,46,10.11.1.25:25,10.11.1.27:52804,>,250-CHUNKING, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,47,10.11.1.25:25,10.11.1.27:52804,>,250-XEXCH50, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,48,10.11.1.25:25,10.11.1.27:52804,>,250 XRDST, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,49,10.11.1.25:25,10.11.1.27:52804,<,MAIL FROM:<> SIZE=17470, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,50,10.11.1.25:25,10.11.1.27:52804,*,08CCDA91AA99FF5D;2010-06-15T22:32:59.687Z;1,receiving message 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,51,10.11.1.25:25,10.11.1.27:52804,>,250 2.1.0 Sender OK, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,52,10.11.1.25:25,10.11.1.27:52804,<,RCPT TO:<[email protected]>, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,53,10.11.1.25:25,10.11.1.27:52804,>,250 2.1.5 Recipient OK, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,54,10.11.1.25:25,10.11.1.27:52804,<,XEXCH50 48 2, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,55,10.11.1.25:25,10.11.1.27:52804,>,354 Send binary data, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,56,10.11.1.25:25,10.11.1.27:52804,>,250 2.0.0 XEXCH50 OK, 2010-06-15T22:32:59.718Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,57,10.11.1.25:25,10.11.1.27:52804,<,BDAT 17470 LAST, 2010-06-15T22:32:59.859Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,58,10.11.1.25:25,10.11.1.27:52804,>,250 2.6.0 <bcce9f93-51a7-4862-90d9-57217e002766> Queued mail for delivery, 2010-06-15T22:32:59.859Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,59,10.11.1.25:25,10.11.1.27:52804,<,QUIT, 2010-06-15T22:32:59.859Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,60,10.11.1.25:25,10.11.1.27:52804,>,221 2.0.0 Service closing transmission channel, 2010-06-15T22:32:59.859Z,EXCHANGE-CORE\Default EXCHANGE-CORE,08CCDA91AA99FF5D,61,10.11.1.25:25,10.11.1.27:52804,-,,Local From: Campbell, Rob [mailto:[email protected]] Sent: Wednesday, June 16, 2010 8:54 AM To: MS-Exchange Admin Issues Subject: RE: Tracking Down Spam Source It think it's time to have a look at the smtp protocol logs. From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, June 16, 2010 7:49 AM To: MS-Exchange Admin Issues Subject: RE: Tracking Down Spam Source Below are the headers to one of the message. I see where our Edge server received the message from our Core server (that's our Mailbox, CA, and Hub server). But it says the Core server received the message from itself. What does that mean? We spoke to the user, who said that she has been off-site checking her mail remotely via OWA. Could her remote machine be sending the junk? But if so, shouldn't the remote machine's IP address be listed in the headers? Received: from Exchange-Core.taylor.k12.fl.us (10.11.1.25) by Exchange-Edge.taylor.k12.fl.us (10.11.1.27) with Microsoft SMTP Server (TLS) id 8.2.254.0; Tue, 15 Jun 2010 17:51:19 -0400 Received: from Exchange-Core.taylor.k12.fl.us ([2002:96b0:25ac::96b0:25ac]) by Exchange-Core.taylor.k12.fl.us ([2002:96b0:25ac::96b0:25ac]) with mapi; Tue, 15 Jun 2010 17:51:03 -0400 From: Nellie Walker <[email protected]> Date: Tue, 15 Jun 2010 17:51:02 -0400 Subject: VISA CARD PAYMENT (822) Thread-Topic: VISA CARD PAYMENT (822) Thread-Index: AQHLDNTZbJD6HvH0oUqZQcSLZqnMlQ== Message-ID: <e4f47298c1dd67478772ed46f048b6be01c8cb1...@exchange-core.taylor.k12.fl.us> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_E4F47298C1DD67478772ED46F048B6BE01C8CB15B8ExchangeCoret_" MIME-Version: 1.0 To: Undisclosed recipients:; Return-Path: [email protected]<mailto:[email protected]> From: John Hornbuckle [mailto:[email protected]] Sent: Wednesday, June 16, 2010 8:45 AM To: MS-Exchange Admin Issues Subject: Tracking Down Spam Source I'm ashamed to say that for the first time ever, spam has been generated from my network. All of our outbound mail is routed through Google / Postini, and they cut us off last night after detecting it. I'm mortified. What I'm needing help with is tracking down the source. I can see who the message claims to be from, and Postini tech support thinks her account really is the source (I assumed the "From:" address had been forged). But even if her account really is the source, I need to know what machine generated the traffic so that I can see what's running on it. To be honest, I'm not sure how to do that. My weakness with Exchange is showing. I thought maybe the message tracking tool, which I've used to find some of the messages, but I can't see the originating IP address in there. Some of the entries say "2002:96b0:25ac::96b0:25ac" for the ClientIP. I don't know what that is. Any pointers? John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ************************************************************************************************** NOTICE: Florida has a broad public records law. Most written communications to or from this entity are public records that will be disclosed to the public and the media upon request. E-mail communications may be subject to public disclosure. ************************************************************************************************** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **************************************************************************************************
