RE: Tracking mails--Author again :)

  • From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
  • To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 7 Jul 2005 06:59:30 -0700

That is where desktop AV comes in. You should have (no, must have,) desktop
AV protection in place and centrally managed. If a Desktop becomes infected
a) your centrally managed desktop AV will notify you and b) stop or
quarantine the infection.

 

Security, of which AV software is an important element, must be a
multi-layered approach. 

 

Depending upon something on Exchange to tell you which internal client is
infected with a virus is a slow and cumbersome way to go about it.

 

Now, there is a software specifically designed to track outgoing e-mail by
IP address and if it reaches a threshold it will quarantine it, and a
completely scheduled batch file that will notify you if files are
quarantined, however that software is for a specific e-mail server and is
designed for an ISP configuration.

 

John T

eServices For You

 

-----Original Message-----
From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx] 
Sent: Thursday, July 07, 2005 1:15 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Tracking mails--Author again :)

 

http://www.MSExchange.org/ 

I agree with you Rick and others who have similar approach towards virus
prevention. Even my approach is more or less the same. However for example:
Lets say one PC is has not patched because the user was on leave and he
switched of the PC. And when the user returns and switch on the PC there is
a high chance of this PC getting infected. Now if this PC is infected with
virus and starts sending out mails people in address book then Antivirus on
Exchange server will filter these mails. But there will be wastage of server
resource to process this unwanted mails. Also I have set a policy that I get
a notification if such virus mails come to the server, so I get about 50
such mail in a day. Currently I am facing this problem.

 

We have decent patch and antivirus management in place but still you know it
is not 100 %. So given the above scenario if I get the sender host IP
address it will be easy to identify the PC and apply the required patch
through patch manager. 

 

So please let me know how to do this on Exchange 2003 server. I am sure this
will be basic feature of any Mail server but I am not able to figure out
this on Exchange 2003. 

 

Best regards

Praveen R


Rick Boza <rickb@xxxxxxxxxxxxxxx> wrote: 

http://www.MSExchange.org/
So - I get the idea that you want to have a response plan if one of these
hits - you should have such a plan.  But you're missing the boat if you
really think that pulling a single PC off the network is the plan you should
be using.  The whole idea behind the attack vector you are bringing up is
that by the time you have identified and pulled that one PC - twenty others
are already infected and doing the same thing.  You'd need to assign one
tech to unplugging NICs.  Very poor efficiency in an enterprise environment.

As John has said, you handle this by proactively securing your back-end
systems, in cooperation with several other important steps.  Doing this
prevents a single (or ten, or fifty) rogue systems from taking down that
back end.  An 'approaches to AV' discussion can become a religious
experience, but the basic rule I like is multiple lines of defense (defense
in depth) that includes properly patched and secured systems at the borders,
on the back-end, and on the desktop.  (As an aside, in my experience most
religious fervor comes from the subject of placing an AV engine on Exchange
servers or not - personally I am in favor of having an Exchange AV engine in
place as it adds one more level of defense - and I'll leave it at that for
the moment)

The single line item you are discussing, while nominally useful, should be
around number 45 on your list of the top 100 things to do if a virus hits.
You need to build your desktop and server infrastructure in such a way that
a single infected system just, well, doesn't matter.


On 7/6/05 3:26 AM, "John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx>
wrote:

http://www.MSExchange.org/
You could use the SMTP Virtual server log. However, most MM viruses use a
built in SMTP engine and send directly to the recipient server as identified
by MX record. The ones that do indeed use the locally configured SMTP server
(configured in Outlook etc.) do not authenticate, so if you Exchange server
is properly configured to force authentication before sending, that will
stop them. Of course, in the case of the other type, you are blocking port
25 to/from the Internet except to/from your Exchange server, correct?
 

John T
eServices For You


-----Original Message-----
From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx]
<mailto:ramaswamy_praveen@xxxxxxxxx%5d>  
Sent: Wednesday, July 06, 2005 12:01 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Tracking mails--Author again :)

http://www.MSExchange.org/ 

Hi John, 



For example: A PC within our network gets infected with mass mailer virus.
This PC starts sending mails to all the users in the address book. So if i
can find out the IP address of that PC then i can easly track it down and
pull off the network. 



I used to do this in my privious company. We had sendmail running on HPUX
and we could easly figure out the sender host IP. I can still trace
incomming mails from outside world as i have sendmail sitting in the
gateway. But i want to know how do i do this with Exchange 2003.



Regards

Praveen R

"John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:

http://www.MSExchange.org/
What is the purpose of knowing where the virus infected e-mail came from? In
this day and age, most viruses now are using virus infected zombies to send
their filth. Chances are if you received 50 different virus infected
e-mails, they will come from 45 different IP addresses.

Now, if you are talking about your outgoing messages, that is the wrong way
to find them, or I should say the least efficient way.


John T
eServices For You


-----Original Message-----
From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx]
<mailto:ramaswamy_praveen@xxxxxxxxx%5d>  
Sent: Tuesday, July 05, 2005 7:11 AM
To: [ExchangeList]
Subject: [exchangelist] Tracking mails

http://www.MSExchange.org/ 

Hi,



I want to track incoming and outgoing mails on my exchange 2003 server.
Basically i want to know from which IP address the mail has arrived on
exchange server. In case of a virus mail , anti virus quarantines the
message which is fine, but i would like to know the host which is generating
the mails. Basically i can check for message header in outlook options but
can i find this info on the server it self. Message tracker doesn't give
details about the host it has reviced the mail from. 



Regards

Praveen R 

  _____  


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSEXchange.org Discussion List as:
ramaswamy_praveen@xxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Report abuse to listadmin@xxxxxxxxxxxxxx 

  _____  

Sell
<http://us.lrd.yahoo.com/_ylc=X3oDMTE0bG4ybmRjBF9TAzk1OTQ5NjM2BHNlYwNtYWlsdG
FnBHNsawNhdWN0aW9ucw--/SIG=10vb8ief1/**http%3a/auctions.yahoo.com/>  on
Yahoo! Auctions - No fees. Bid on great items.
------------------------------------------------------ List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange
Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ:
http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------ Other Internet
Software Marketing Sites: World of Windows Networking:
http://www.windowsnetworking.com Leading Network Software Directory:
http://www.serverfiles.com No.1 ISA Server Resource Site:
http://www.isaserver.org Windows Security Resource Site:
http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------ You are currently
subscribed to this MSEXchange.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to
listadmin@xxxxxxxxxxxxxx

Other related posts: