Re: Cut off spam from 127.0.0.1?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Mike H wrote:
On Sun, 1 Jul 2007 21:42:19 -0700, kj [SBS MVP] (rookie) wrote:

Mike H wrote:
A few enterprising individuals are managing to send spam as if it
was coming from the internal network. I'm not quite sure how
they're doing this.

When I look at the SMTP logs I don't see times that quite match the
time of the message, so I'm not sure it's even in the SMTP logs.
However, I do see reference to these message in the Exchange Server
logs, in the SERVERNAME.log directory. One of these records looks
like (and they're hard to read):

Note that the logs are GMT ( more accuratly UTC ) time stamped, non
adjusted for your servers time zone. Adjust accordingly and see if
you don't find a match.


2007-6-30 13:0:42 GMT 127.0.0.1 mydomain.com - myservername
127.0.0.1 validuser@xxxxxxxxxxxx 1023
A78842105725446BA5951603AFA89D4A@xxxxxxxxxxxx 0 0 3740 1 - 0
Version:
6.0.3790.3959 - - thespammersname@xxxxxxxxxxx

2007-6-30 13:0:43 GMT - - - myservername - validuser@xxxxxxxxxxxx
1028 A78842105725446BA5951603AFA89D4A@xxxxxxxxxxxx 0 0 3740 1 - 0 -
- - thespammersname@xxxxxxxxxxx

I'm not sure I have the entire record (there's got to be a reader
that parses this thing right!)

So when you look at these messages in Outlook it looks like a "from
the inside" header.

How can I stop this? I'm wondering if the (All Unassigned) IP
address is wrong from the default SMTP server, if instead it should
be the LAN IP address.

KJ, regarding the logs...yes, I accounted for that. Including daylight
time as well, I add 8 hours to my own time to find it in the logs.
So, I can find an exact match in the Exchange message logs, but not
in the SMTP logs. I've assumed that there could be a "pickup time
lag", but in some instances there's not a match within 5 minutes, and
of course, there's NEVER an IP match for these particular messages.

To help 'crank up' logging see;
http://support.microsoft.com/kb/821910/en-us

You mentioned "pickup time". Are you using the POP3 Connector and is this
where you believe these messages are comming from?

(if so, see;)
http://support.microsoft.com/kb/885685/en-us


--
/kj


.

Relevant Pages

  • Re: Cut off spam from 127.0.0.1?
    ... When I look at the SMTP logs I don't see times that quite match the ... I do see reference to these message in the Exchange Server ... about the POP3 Connector - in general, no, I don't use the POP3 ...
    (microsoft.public.windows.server.sbs)
  • Re: tracking email viruses to the origin
    ... GFI does not log header info so I have to rely on my ... >>1)Can some one suggest a program or a process to parse my SMTP logs (or ... >>4) Is there a good way to match up my SMTP log or message tracking logs ...
    (microsoft.public.exchange.admin)
  • Re: Distribution list problem
    ... Why not look in the SMTP logs on your own Exchange server? ...
    (microsoft.public.exchange.admin)
  • Re: multiple inbound messages
    ... msg 6230546 to remote amason@xxxxxxxxxxxx ... Here's a sample of my smtp logs. ... logging for Connection Manager and Queueing Engine in MsExchangeTransport ...
    (microsoft.public.exchange.admin)
  • Re: tracking email viruses to the origin
    ... is another, but IIRC, that only uses message tracking logs, which may not ... No way of telling without a sample header to show you. ... I'm not familiar with how GFI logs look. ... >>>1)Can some one suggest a program or a process to parse my SMTP logs (or ...
    (microsoft.public.exchange.admin)