Re: Best way to enable logs to catch a suspicious spammer inside org

From: Herb Martin (news_at_LearnQuick.com)
Date: 12/28/04

Next message: Jeff Cochran: "Re: Best way to enable logs to catch a suspicious spammer inside org"

Previous message: Marlon Brown: "Best way to enable logs to catch a suspicious spammer inside org"
In reply to: Marlon Brown: "Best way to enable logs to catch a suspicious spammer inside org"
Next in thread: Jeff Cochran: "Re: Best way to enable logs to catch a suspicious spammer inside org"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Dec 2004 19:30:43 -0600

"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:#L#7rCG7EHA.2804@TK2MSFTNGP15.phx.gbl...
> I received reports that somebody is sending spam from inside my
> organization. Currently the IP address that is being reported as the
spammer
> is not active (not assigned in my DHCP server or DNS). All I know is that
> the suspect belongs to my IP address range in one of my workstation
subnets.

Reported how?

Actually you probably know WHICH subnet as that IP
is probably valid but manually assigned by the spammer.

SMTP, for instance, is a TCP service which means that it
is impractical for the spammer to use any other address
than the one it uses in the TCP CONNECTION to the SMTP
server.

So if the SMTP server records the address it much be
valid -- this is ignoring relays from other SMTP servers
but if it is all in your LAN that is not a big issue (there
either isn't another or you move the other SMTP server
logs.)

> I already enabled logging on thet Exchange servers, but I am wondering
what
> would be the best way to track certain IP address for future investigation
?
> For example, because the DHCP client will get a random IP address, I would
> like to enable logs in a way that I can come back later and match such
> IPaddressReportedAsSpam to my existing servers to find out who was using
> that workstation ?

If it isn't being assigned by DHCP, what makes you think the
spammer didn't just MAKE IT UP.

He must however be on the (physical) segment with
that subnet.

> Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
> servers ?

DNS is easy -- debug logging on the server properties.

DHCP? I think so but have never needed it.

-- 
Herb Martin
>
>

Next message: Jeff Cochran: "Re: Best way to enable logs to catch a suspicious spammer inside org"

Previous message: Marlon Brown: "Best way to enable logs to catch a suspicious spammer inside org"
In reply to: Marlon Brown: "Best way to enable logs to catch a suspicious spammer inside org"
Next in thread: Jeff Cochran: "Re: Best way to enable logs to catch a suspicious spammer inside org"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]