Re: tracking email viruses to the origin

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I am sure its a never ending battle but I have taken this on as a growth
experience in part. Also in part I want to see if it is one of our
employees. So even for academic sake how can I accomplish this?


"Andy David - MVP" <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:clnjp1ptgvgro568oma5o26ptr5nb6j7hh@xxxxxxxxxx
> On Fri, 9 Dec 2005 11:27:58 -0800, "Admin Ken" <admin@xxxxxxxxxxxxx>
> wrote:
>
>>I am try to track down the originators of some of the massive amounts of
>>inbound viruses we get. To my knowledge all of this virus traffic is
>>inbound
>>from outside to my SMTP servers. I imagine much of it is random but some
>>of
>>it comes from our employees infected home computers as many of the TO
>>addresses contain groups of valid addresses. I would like to try to
>>identify
>>some of these computers if possible. I am hoping there are a limited
>>amount
>>of nasty IP addresses that are causing this problems.
>>
>>I have Exchange03 SP2 and GFI Mail Security 9. I do get notification of
>>viruses but have no easy way of tracking the IP that belong to that
>>infected
>>messages. GFI does not log header info so I have to rely on my
>>Exchange/SMTP
>>logs. GFI does log viruses in an access database but it does not contain
>>header or other source IP's.
>>
>>On my Ex2003 server I have SMTP protocol logging on and also message
>>tracking turned on.
>>
>>1)Can some one suggest a program or a process to parse my SMTP logs (or
>>message tracking logs) and so I can sort them and look for repeating
>>patters.
>>
>>2)Since most of the header information is spoffed, which if any of the
>>IP's
>>listed in the header can be trusted as the actual IP of the offending
>>sender.
>>
>>3)How can I differentiate the infected computer's IP address from the
>>downstram SMTP server's IP address (that sent to my SMTP server)?
>>
>>4) Is there a good way to match up my SMTP log or message tracking logs
>>with
>>my GFI records/logs of virus infected messages?
>>
>
>
> Ugh. I woudnt bother. Its a never-ending battle. Thats what AV and
> Anti-Spam products are for.


.

Relevant Pages

  • Re: tracking email viruses to the origin
    ... >inbound viruses we get. ... GFI does not log header info so I have to rely on my Exchange/SMTP ... >1)Can some one suggest a program or a process to parse my SMTP logs (or ... >message tracking logs) and so I can sort them and look for repeating ...
    (microsoft.public.exchange.admin)
  • tracking email viruses to the origin
    ... inbound viruses we get. ... GFI does not log header info so I have to rely on my Exchange/SMTP ... 1)Can some one suggest a program or a process to parse my SMTP logs (or ... message tracking logs) and so I can sort them and look for repeating ...
    (microsoft.public.exchange.admin)
  • Re: tracking email viruses to the origin
    ... is another, but IIRC, that only uses message tracking logs, which may not ... No way of telling without a sample header to show you. ... I'm not familiar with how GFI logs look. ... >>>1)Can some one suggest a program or a process to parse my SMTP logs (or ...
    (microsoft.public.exchange.admin)
  • Re: shared log drive (LUN) need to delete - question about how
    ... You may want to move the message tracking logs. ... SMTP logs? ... Again this was the original Logging LUN for when the cluster ...
    (microsoft.public.exchange.admin)
  • Re: Track down external email
    ... If it's smtp mail, it should show you originating ip address in message ... MVP - Exchange ... The header only shows who the email was from and who it went to. ... the timestamps in logs still use UTC. ...
    (microsoft.public.exchange.admin)