Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to Find originating IP Address within own Organisation 1

Status
Not open for further replies.
Ziopaulo

Ziopaulo

IS-IT--Management
Joined
May 10, 2005
Messages
4
Location
GB
We have an outbreak of a mass-mailer virus of some sort. Spurious emails have been going out of our Exchange server to destinations worldwide.

We are having some difficulty determining the source of these emails.

Is there a way to find the internal originating IP of an email in order to determine which PC is infected?

We are NOT open to relay.

TIA
 
Sort by date Sort by votes
If I were you, I would shut down your outbound internet email until the outbreak is controlled. This will limit your liability.

Install an Exchange AV product that will walk the DB's. I recommend Trend ScanMail for Exchange. You can use the product for 30 days for free. Perform a full scan on all exchange stores.

Once the stores are clean, then watch the AV logs. They will show the sender of the email.

If you have a Worm that bypasses your exchange system, then you will need to disable outbound SMTP on your firewall from any host that is not your Exchange server. Look at the firewall logs for outbound SMTP attempts and track down the IP's of the systems and manually scan each one.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
My apologies - my initial posting was somewhat misleading despite my trying hard!

I should not have referred to a virus but simply to a mass-mailer which has hijacked one or more PCs to send spam ads. The outgoing messages do not appear to carry a viral payload. Interestingly, we cannot view the messages. They show "Subject: hidden".

Any views?
 
Upvote 0 Downvote
Are the mails actually going through your Exchange system, or are they doing direct SMTP connection? Here's how you can tell...

Right click on the mail and choose options. Look at the path the email took to get to your mailbox. If it originates from an IP, goes to the mail server that hosts your MX record and then comes inbound, it is a straight SMTP based worm.

If the header information is blank, then the mail came from inside the Exchange system and you will need to look at AV logs or turn on Message tracking and trace the email back.

I'm guessing that this is a straight SMTP worm. Limit outbound SMTP traffic on your firewall to only your Exchange server, then trace down the IP's of the sending systems.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Thanks again PSC

The mail is going through Exchange. It is originating within our own network (single site) and is destined for various places in the outside world.

I have Message Tracking turned on but I can't see how to get it to give me any clue about which internal machine originated these messages.

Any further help greatly appreciated.
 
Upvote 0 Downvote
Unfortunately Exchange won't tell you the exact machine. The best you can do is find the user that is originating the message and disable the user account and mailbox. This will generate a call to the helpdesk from which you can find out the computer.

If it's an exchange based worm, then your AV scanner should remove it before it leaves your organization.


PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Thanks

I have done what you suggest and we shall see what tomorrow brings!
 
Upvote 0 Downvote
Here is what you do in this case.

YOU'RE LOOKING FOR THE LOCATION ON THE NETWORK THAT THE MESSAGES ARE COMING FROM TO YOUR EXCHANGE SERVER

Enable AUDITING on your Exchange server and send an email to the mailbox in question. You will see the users machine name popup in the Security log as an event with a successfull audit to it. From there ... reverse lookup the machine name for the IP. If you don't know where the machine is (you should)...

Then you can go into DHCP and flush his IP, setup a new reseveration for his MAC address and give him all FAULTY information I.e. a different network IP and an odd gateway etc...

Before you know it, he will come looking for someone in IT and you will be able to find out which machine it is.

This method is used more often for clients who come into your office with their own machines and are infected.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

P
  • Locked
  • Question Question
How to use third party mail security gateway to scan internal/inter-domain
Replies
0
Views
250
psamuals
P
T
  • Locked
  • Question Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
3K
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
3K
microsGuy16
microsGuy16
PatrickRoggers
  • Locked
  • Helpful tip Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
4K
PatrickRoggers
PatrickRoggers
DrB0b
  • Locked
  • Question Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
3K
Priyanka_Chauhan
Priyanka_Chauhan

Part and Inventory Search

Sponsor

Back
Top