Re: Cut off spam from 127.0.0.1?
- From: Mike H <mkREMOVEhuskeyALL@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 2 Jul 2007 13:04:16 -0700
On Mon, 2 Jul 2007 12:46:19 -0700, kj [SBS MVP] (rookie) wrote:
Mike H wrote:
On Sun, 1 Jul 2007 21:42:19 -0700, kj [SBS MVP] (rookie) wrote:
Mike H wrote:
A few enterprising individuals are managing to send spam as if it
was coming from the internal network. I'm not quite sure how
they're doing this.
When I look at the SMTP logs I don't see times that quite match the
time of the message, so I'm not sure it's even in the SMTP logs.
However, I do see reference to these message in the Exchange Server
logs, in the SERVERNAME.log directory. One of these records looks
like (and they're hard to read):
Note that the logs are GMT ( more accuratly UTC ) time stamped, non
adjusted for your servers time zone. Adjust accordingly and see if
you don't find a match.
2007-6-30 13:0:42 GMT 127.0.0.1 mydomain.com - myservername
127.0.0.1 validuser@xxxxxxxxxxxx 1023
A78842105725446BA5951603AFA89D4A@xxxxxxxxxxxx 0 0 3740 1 - 0
Version:
6.0.3790.3959 - - thespammersname@xxxxxxxxxxx
2007-6-30 13:0:43 GMT - - - myservername - validuser@xxxxxxxxxxxx
1028 A78842105725446BA5951603AFA89D4A@xxxxxxxxxxxx 0 0 3740 1 - 0 -
- - thespammersname@xxxxxxxxxxx
I'm not sure I have the entire record (there's got to be a reader
that parses this thing right!)
So when you look at these messages in Outlook it looks like a "from
the inside" header.
How can I stop this? I'm wondering if the (All Unassigned) IP
address is wrong from the default SMTP server, if instead it should
be the LAN IP address.
KJ, regarding the logs...yes, I accounted for that. Including daylight
time as well, I add 8 hours to my own time to find it in the logs.
So, I can find an exact match in the Exchange message logs, but not
in the SMTP logs. I've assumed that there could be a "pickup time
lag", but in some instances there's not a match within 5 minutes, and
of course, there's NEVER an IP match for these particular messages.
To help 'crank up' logging see;
http://support.microsoft.com/kb/821910/en-us
You mentioned "pickup time". Are you using the POP3 Connector and is this
where you believe these messages are comming from?
(if so, see;)
http://support.microsoft.com/kb/885685/en-us
While I"m digesting "cranking up logging", in answer to your question
about the POP3 Connector - in general, no, I don't use the POP3
Connector. It is enabled and running, though. My secondary MX points to
an off-site server. I have a catchall account there which I pick up
using the POP3 Connector.
So, the pickup time I was referring to was the time, if any, between
arrival via SMTP and the messages actual delivery to a mailbox (Exchange
Server mailbox). I presumed there must be some since I couldn't find a
time match for these particular spam messages.
If that's not the case, then somehow SMTP is being bypassed altogether
and the spammer IS using the POP3 Connector to get to me. hmm, I'd
better check that second link as well...
--
Mike H
.
- Follow-Ups:
- Re: Cut off spam from 127.0.0.1?
- From: kj [SBS MVP] \(rookie\)
- Re: Cut off spam from 127.0.0.1?
- References:
- Cut off spam from 127.0.0.1?
- From: Mike H
- Re: Cut off spam from 127.0.0.1?
- From: kj [SBS MVP] \(rookie\)
- Re: Cut off spam from 127.0.0.1?
- From: Mike H
- Re: Cut off spam from 127.0.0.1?
- From: kj [SBS MVP] \(rookie\)
- Cut off spam from 127.0.0.1?
- Prev by Date: Re: ISA 1 NIC
- Next by Date: Re: Secondary AD
- Previous by thread: Re: Cut off spam from 127.0.0.1?
- Next by thread: Re: Cut off spam from 127.0.0.1?
- Index(es):
Relevant Pages
|
