Announcement

Collapse
No announcement yet.

mailbombed - how to remove it ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • mailbombed - how to remove it ?

    looks like someone has mailbombed one of my clients.. sending thousands of emails to an [email protected] address - all from random faked Sender addresses, with random subjects.

    I'm trying to find a way to mass-remove all of this easily.
    I've found a couple of promising links, but they relate to Exchange 2010, and we've got Ex2007.

    What I can tell, is all the emails came from the same ClientIP, but I suspect there's no way to do a mailbox search based on this is there?


    Any hints..?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: mailbombed - how to remove it ?

    you might be able to make a power shell script that would search the mailbox in question for messages that contain headers with a certain ip perhaps (would need some serious power shell chops for that i am sure) have you blocked the ip and stopped any further from coming through? what anti spam software were they running ? from memory some anti spam software has cleanup functions for scenarios such as above (trend scanmail for exchange i think can do it)

    Comment


    • #3
      Re: mailbombed - how to remove it ?

      they only have sophos.... and yes, it seems they've blocked it before they rang me, so that's a good start..
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: mailbombed - how to remove it ?

        i would contact sophos for some answers, if the SW was configured properly then how/why did the mailbox get bombed in the first place and hopefully they have a tool that can handle the clean up. IMO any edge/hub AV/SPAM software worth it salt should have seen that coming and blocked it way before it reched the mailbox. Best to also check if it is subscribed to a RBL as wel.

        Comment


        • #5
          Re: mailbombed - how to remove it ?

          beleive it's a targetted attack..
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: mailbombed - how to remove it ?

            ok. here's one for the genius of Rems...


            Export-Mailbox -id 'theboss" -subjectkeywords "randomstring" -targetmailbox whoops -targetfolder bad -deletecontent

            Ok.. that command would export all items from theboss's mailbox to target "whoops" where the subjecvt keyword matches "randomstring"


            all well and good.

            get-messagetrackinglog -Recipients:[email protected] -Server "server" -EventID "RECEIVE" -Start "6/12/2011 5:09:00 AM" -
            End "6/12/2011 5:51:00 aM" -resultsize unlimited | ft messagesubject | out-file
            sub.txt

            will output a list of all the emails received, or at least, their subject.

            So.. what I want to do .. is then import "sub.txt" and loop throughit, over and over, for "randomstring" above.
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: mailbombed - how to remove it ?

              tracert the source ip and get some payback ......................
              (or at least payback to the spoofed/relay address lol)

              Comment


              • #8
                Re: mailbombed - how to remove it ?

                that's not particularly professional. I beleive my client knows who the perpetrator is anyhow.
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: mailbombed - how to remove it ?

                  I think i may have figured this. Maybe.

                  get-messagetrackinglog -Recipients:[email protected] -Server "Server" -EventID "RECEIVE" -Start "6/12/2011 5:09:00 AM" -End "6/12/2011 5:51:00 pM" -resultsize unlimited | ft messagesubject | out-file c:\sub.txt

                  That gives me sub.txt, which is a list of all the subjects. Now, I can pipe that info in, hopefully.


                  Get-content D:\public\it\my.txt | forEach-object {export-mailbox -id "Boss" -subjectkeywords $_ -targetmailbox badmail -target
                  folder bad -deletecontent}



                  Here's hoping...


                  bahhh this is going to absolutely take for ever, because it has to export th entire mailbox, then search through it.. why can't I search then export ?
                  damnit!
                  Last edited by tehcamel; 7th December 2011, 06:35.
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment


                  • #10
                    Re: mailbombed - how to remove it ?

                    http://www.petri.com/delete_messages...ng_exmerge.htm

                    You may be able to use ExMerge to accomplish this. Although you'll need to install it on a another machine with the Exchange 2003 support tools.
                    Iv done something similar on Ex2010 using powershell but i had to write a very long script to accomplish what i required.

                    Comment


                    • #11
                      Re: mailbombed - how to remove it ?

                      Just use Export-Mailbox with the DeleteContent switch:
                      http://www.kevintaber.com/2009/06/09...ng-powershell/

                      Spend a bit of time hunting for suitable keywords
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: mailbombed - how to remove it ?

                        Originally posted by tehcamel View Post
                        that's not particularly professional. I beleive my client knows who the perpetrator is anyhow.
                        i was joking old son

                        Comment


                        • #13
                          Re: mailbombed - how to remove it ?

                          Originally posted by Ossian View Post
                          Just use Export-Mailbox with the DeleteContent switch:
                          http://www.kevintaber.com/2009/06/09...ng-powershell/

                          Spend a bit of time hunting for suitable keywords
                          essentially what i have done. however, there are no keywords that are the same - every email comes from a different [email protected]
                          with a different sbject
                          and different content.

                          :/
                          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                          Comment


                          • #14
                            Re: mailbombed - how to remove it ?

                            Anything in common? (IP range, possibly?)
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: mailbombed - how to remove it ?

                              yea, the IP it came from. But I couldn't find a way to search based on that..
                              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                              Comment

                              Working...
                              X