Re: Best way to enable logs to catch a suspicious spammer inside org

From: Marlon Brown (marlon_brownj_at_hotmail.com)
Date: 12/28/04

  • Next message: Herb Martin: "Re: Best way to enable logs to catch a suspicious spammer inside org" 
    Date: Mon, 27 Dec 2004 21:34:05 -0800

    "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
    news:41d2d2c5.314694807@msnews.microsoft.com...
    > On Mon, 27 Dec 2004 14:11:01 -0800, "Marlon Brown"
    > <marlon_brown@hotmail.com> wrote:
    >
    >>I received reports that somebody is sending spam from inside my
    >>organization. Currently the IP address that is being reported as the
    >>spammer
    >>is not active (not assigned in my DHCP server or DNS). All I know is that
    >>the suspect belongs to my IP address range in one of my workstation
    >>subnets.
    >
    > First, how do you know this?

    ==>Reported by two independent agencies that spam is being generated from a
    workstation in my domain. I see the headers of such spam mail and because
    the claim coincided with an workstation IP range in which SMTP is allowed
    for such subnet and because I had problems with users from same subnet in
    the past, I think the report is somewhat credible and I would like to
    investigate this.

    >
    >>I already enabled logging on thet Exchange servers, but I am wondering
    >>what
    >>would be the best way to track certain IP address for future investigation
    >>?
    ==> Apparently the Exchange servers were not used as a relay, therefore the
    SMTP logging wouldn't help much.
    > Logging, of course. Journalling would also possibly help. Block port
    > 25 in your firewall for all systems except Exchange and review your
    > firewall logs.
    >
    >>For example, because the DHCP client will get a random IP address, I would
    >>like to enable logs in a way that I can come back later and match such
    >>IPaddressReportedAsSpam to my existing servers to find out who was using
    >>that workstation ?
    >
    > You might write a database record for logins in a login script,
    > tracking IP, time and user ID.
    ==>True, but the login script option wouldn't help if the suspect is logging
    on locally (techies are users on such subnet and they normally have the
    local administrator password)
    >
    >>Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
    >>servers ?
    >
    > Logging level? You can audit login/logout events. As well as almost
    > anything else.
    >
    > Best bet is to get a copy of the alleged spam and track it.
    >
    > Jeff

  • Next message: Herb Martin: "Re: Best way to enable logs to catch a suspicious spammer inside org"