Re: Best way to enable logs to catch a suspicious spammer inside org

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 12/29/04 

Date: Wed, 29 Dec 2004 04:07:06 GMT

Some of the information below would have saved time in the first round
of questions/suggestions.

Okay, it's not passing through Exchange and you allow SMTP out from
individual workstations. Plus the offending user may be a local
admin.

That means you have only your firewall that's of use. I'd block SMTP
out from any but authorized senders/servers. At the least, monitor
your firewall logs for traffic on port 25 from the LAN to WAN.
Configuring an internal IDS system may help as well.

Jeff

On Mon, 27 Dec 2004 21:34:05 -0800, "Marlon Brown"
<marlon_brownj@hotmail.com> wrote:

>
>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>news:41d2d2c5.314694807@msnews.microsoft.com...
>> On Mon, 27 Dec 2004 14:11:01 -0800, "Marlon Brown"
>> <marlon_brown@hotmail.com> wrote:
>>
>>>I received reports that somebody is sending spam from inside my
>>>organization. Currently the IP address that is being reported as the
>>>spammer
>>>is not active (not assigned in my DHCP server or DNS). All I know is that
>>>the suspect belongs to my IP address range in one of my workstation
>>>subnets.
>>
>> First, how do you know this?
>
>==>Reported by two independent agencies that spam is being generated from a
>workstation in my domain. I see the headers of such spam mail and because
>the claim coincided with an workstation IP range in which SMTP is allowed
>for such subnet and because I had problems with users from same subnet in
>the past, I think the report is somewhat credible and I would like to
>investigate this.
>
>>
>>>I already enabled logging on thet Exchange servers, but I am wondering
>>>what
>>>would be the best way to track certain IP address for future investigation
>>>?
>==> Apparently the Exchange servers were not used as a relay, therefore the
>SMTP logging wouldn't help much.
>> Logging, of course. Journalling would also possibly help. Block port
>> 25 in your firewall for all systems except Exchange and review your
>> firewall logs.
>>
>>>For example, because the DHCP client will get a random IP address, I would
>>>like to enable logs in a way that I can come back later and match such
>>>IPaddressReportedAsSpam to my existing servers to find out who was using
>>>that workstation ?
>>
>> You might write a database record for logins in a login script,
>> tracking IP, time and user ID.
>==>True, but the login script option wouldn't help if the suspect is logging
>on locally (techies are users on such subnet and they normally have the
>local administrator password)
>>
>>>Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
>>>servers ?
>>
>> Logging level? You can audit login/logout events. As well as almost
>> anything else.
>>
>> Best bet is to get a copy of the alleged spam and track it.
>>
>> Jeff
>