Re: Best way to enable logs to catch a suspicious spammer inside org

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 12/28/04 

Date: Tue, 28 Dec 2004 03:30:36 GMT

On Mon, 27 Dec 2004 14:11:01 -0800, "Marlon Brown"
<marlon_brown@hotmail.com> wrote:

>I received reports that somebody is sending spam from inside my
>organization. Currently the IP address that is being reported as the spammer
>is not active (not assigned in my DHCP server or DNS). All I know is that
>the suspect belongs to my IP address range in one of my workstation subnets.

First, how do you know this?

>I already enabled logging on thet Exchange servers, but I am wondering what
>would be the best way to track certain IP address for future investigation ?

Logging, of course. Journalling would also possibly help. Block port
25 in your firewall for all systems except Exchange and review your
firewall logs.

>For example, because the DHCP client will get a random IP address, I would
>like to enable logs in a way that I can come back later and match such
>IPaddressReportedAsSpam to my existing servers to find out who was using
>that workstation ?

You might write a database record for logins in a login script,
tracking IP, time and user ID.

>Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
>servers ?

Logging level? You can audit login/logout events. As well as almost
anything else.

Best bet is to get a copy of the alleged spam and track it.

Jeff