Announcement

Collapse
No announcement yet.

Exchange 2003 SMTP Log send massages trace

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 SMTP Log send massages trace

    Hello,
    My mail server sends spam or/and viruses. And i dont know how to see in smtp log witch ip or domain user was send e-mail. Is there a way to filter only sended massages, i think in that way i will trace the infected computer.


    How i can rise security for sending massages in exchange 2003 ?

    Thank you.

  • #2
    Re: Exchange 2003 SMTP Log send massages trace

    You an only view that information if you have logging enabled on the SMTP connector itself. Use this site to ensure you are not an open relay:

    http://www.mob.net/~ted/tools/relaytester.php3

    All user accounts on the domain will be able to relay via the Exchange server. This is by design if they are using a MAPI client. You will need to harden your exchange server to ensure it is not an open relay and has adequate protection on the box and on the upstream gateway from attack.

    Comment


    • #3
      Re: Exchange 2003 SMTP Log send massages trace

      To clarify: MAPI users who use Exchange do not relay through the SMTP connector. They send email, it goes to the store, Exchange sends it through the SMTP connector.

      Comment


      • #4
        Re: Exchange 2003 SMTP Log send massages trace

        Relay Tester:

        Testing 212.50.14.35...

        Connecting to 212.50.14.35 ...
        <<< 220 mail.risk.bg Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Fri, 13 Mar 2009 00:39:44 +0200
        >>> HELO godfather.mob.net
        <<< 250 mail.risk.bg Hello [10.0.0.4]
        >>> MAIL FROM:
        <<< 250 2.1.0 [email protected] OK
        >>> RCPT TO:
        <<< 550 5.7.1 Unable to relay for [email protected]

        I have an antispam device 10.0.0.4


        If i paste here part of smtp log, can you see and explain me if there is problem please ?
        Last edited by lg911; 13th March 2009, 23:59.

        Comment


        • #5
          Re: Exchange 2003 SMTP Log send massages trace

          Being an open relay is not the only way that your server can be abused. There are others including authenticated user and NDR spam.
          Take a look at my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Exchange 2003 SMTP Log send massages trace

            I used your article to test for open relay. I'm not.
            I check for Whether an Authenticated User is Relaying. There is no event with ID 1708
            I was on ndr attack, 20-50 mails to non exsisting user (included deleted users or wrong typed users), i enable recipient filter.
            Also clan queles.

            Now im waiting to see.


            Please explain me this: attachment 1

            In tracking massages i found record that i was send this massage. But i'm didnt.
            Can that be a incoming massage because i was have massage with that subject in my inbox but it is deleted.

            Thank you.



            Something new.
            87.120.40.3, OutboundConnectionResponse, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 16, 0, 38, 0, 0, -, -, 220 mail.host.bg ESMTP Postfix (2.3.6),
            87.120.40.3, OutboundConnectionCommand, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 16, 0, 4, 0, 0, EHLO, -, mail.risk.bg,
            87.120.40.3, OutboundConnectionResponse, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 16, 0, 16, 0, 0, -, -, 250-mail.host.bg,
            87.120.40.3, OutboundConnectionCommand, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 32, 0, 4, 0, 0, MAIL, -, FROM:<[email protected]> SIZE=1602,
            87.120.40.3, OutboundConnectionResponse, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 32, 0, 12, 0, 0, -, -, 250 2.1.0 Ok,
            87.120.40.3, OutboundConnectionCommand, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 32, 0, 4, 0, 0, RCPT, -, TO:<[email protected]> NOTIFY=NEVER,
            87.120.40.3, OutboundConnectionResponse, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 32, 0, 12, 0, 0, -, -, 250 2.1.5 Ok,
            87.120.40.3, OutboundConnectionCommand, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 32, 0, 4, 0, 0, DATA, -, -,
            87.120.40.3, OutboundConnectionResponse, 19.3.2009 г., 14:48:42, SMTPSVC1, RISKS03, -, 32, 0, 35, 0, 0, -, -, 354 End data with <CR><LF>.<CR><LF>,

            This is from my smtp log.
            Is this can be internal relay ?
            User was not send this email from his outlook.
            Also i have many records with FROM <> - empty name.
            Attached Files
            Last edited by lg911; 19th March 2009, 17:09.

            Comment


            • #7
              Re: Exchange 2003 SMTP Log send massages trace

              That is a read receipt message going back. You will note the subject line is "Not Read". The message was sent with a receipt attached.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Exchange 2003 SMTP Log send massages trace

                Now I'm pretty sure that my server is secured. I will continue searching for viruses on my network. And try to watch the traffic from 25 port on my gateway.

                Thank you.

                Comment

                Working...
                X