Exchange Server Forums

[Logging] Log SMTP Users

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> [Logging] Log SMTP Users

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

[Logging] Log SMTP Users - 5.Sep.2008 4:46:10 PM

Phil

Posts: 2
Joined: 5.Sep.2008
Status: offline

We recently had an issue where, though our mail server is not an open relay, spam was being sent from an external client using our mail server.

I turned on what logging I could find, but I was wondering where I would look to find out which of my user accounts was the one which was compromised and being used to authenticate with the server and was sending the malicious email.

In the SMTP logs I have, I see the EHLO, I see them set the recipients and then they simply say DATA and get a "go ahead". Is there a way to capture that DATA so I can get the username?

Thanks in advance,
Phil

Post #: 1

Featured Links*

RE: [Logging] Log SMTP Users - 5.Sep.2008 5:49:08 PM

AirJunkie

Posts: 11
Joined: 13.Aug.2008
Status: offline

I would turn on Message Tracking Logs if they're not on. You can open them in excel, look for subject lines of the spam. Once you find the subject line you're looking for you should see a client-ip which will tell you where the message came from before it got to your exchange server. You will also have the sender-address, which if one of your user accounts was compromised that should be it.

That wouldn't be 100% proof that the user account was actually compromised though, it's just the sender address that was in the message header. If you really think that the user account has been compromised you could turn up security logging and look for that user successfully authenticating from an IP the same or similiar to the client-ip from the Message Tracking Logs.

Quickest way to determine if you are actually an open relay is to do a telnet <Exchagnge IP> 25 and try to send an email to your personal email address. If you can, and the computer you tried from hasn't been granted relay access I would assume you're running an open relay.

(in reply to Phil)

Post #: 2

RE: [Logging] Log SMTP Users - 5.Sep.2008 6:57:48 PM

Phil

Posts: 2
Joined: 5.Sep.2008
Status: offline

Thanks for the reply.

I'm fairly certain I'm not an open relay, as I've done several tests.

We allow relaying, but only after the user is authenticated, which is why I believe an account to have been compromised.

Where do I turn up the security logging to view remote authentications in Exchange 2007?

(in reply to AirJunkie)

Post #: 3

RE: [Logging] Log SMTP Users - 5.Sep.2008 8:56:40 PM

AirJunkie

Posts: 11
Joined: 13.Aug.2008
Status: offline

Security logging is a windows server option as opposed to exchange you can enable it via a local policy. http://technet.microsoft.com/en-us/library/cc758201.aspx

Audit logon events successes are what you're looking for. Should be event 520 or 548 (I believe) and it should be logon type 3. You can find a good explanation of the different types of logon events at http://www.windowsecurity.com/articles/Logon-Types.html.

Hope that helps

(in reply to Phil)

Post #: 4