RE: Tracking mails--Author again :)
- From: Rick Boza <rickb@xxxxxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Wed, 06 Jul 2005 08:00:42 -0400
So I get the idea that you want to have a response plan if one of these
hits you should have such a plan. But you¹re missing the boat if you
really think that pulling a single PC off the network is the plan you should
be using. The whole idea behind the attack vector you are bringing up is
that by the time you have identified and pulled that one PC twenty others
are already infected and doing the same thing. You¹d need to assign one
tech to unplugging NICs. Very poor efficiency in an enterprise environment.
As John has said, you handle this by proactively securing your back-end
systems, in cooperation with several other important steps. Doing this
prevents a single (or ten, or fifty) rogue systems from taking down that
back end. An ?approaches to AV¹ discussion can become a religious
experience, but the basic rule I like is multiple lines of defense (defense
in depth) that includes properly patched and secured systems at the borders,
on the back-end, and on the desktop. (As an aside, in my experience most
religious fervor comes from the subject of placing an AV engine on Exchange
servers or not personally I am in favor of having an Exchange AV engine in
place as it adds one more level of defense and I¹ll leave it at that for
the moment)
The single line item you are discussing, while nominally useful, should be
around number 45 on your list of the top 100 things to do if a virus hits.
You need to build your desktop and server infrastructure in such a way that
a single infected system just, well, doesn¹t matter.
On 7/6/05 3:26 AM, "John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx>
wrote:
> http://www.MSExchange.org/
> You could use the SMTP Virtual server log. However, most MM viruses use a
> built in SMTP engine and send directly to the recipient server as identified
> by MX record. The ones that do indeed use the locally configured SMTP server
> (configured in Outlook etc.) do not authenticate, so if you Exchange server is
> properly configured to force authentication before sending, that will stop
> them. Of course, in the case of the other type, you are blocking port 25
> to/from the Internet except to/from your Exchange server, correct?
>
>
> John T
> eServices For You
>
>
> -----Original Message-----
> From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx]
> Sent: Wednesday, July 06, 2005 12:01 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Tracking mails--Author again :)
>
> http://www.MSExchange.org/
>
> Hi John,
>
>
>
> For example: A PC within our network gets infected with mass mailer virus.
> This PC starts sending mails to all the users in the address book. So if i can
> find out the IP address of that PC then i can easly track it down and pull off
> the network.
>
>
>
> I used to do this in my privious company. We had sendmail running on HPUX and
> we could easly figure out the sender host IP. I can still trace incomming
> mails from outside world as i have sendmail sitting in the gateway. But i want
> to know how do i do this with Exchange 2003.
>
>
>
> Regards
>
> Praveen R
>
> "John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:
>> http://www.MSExchange.org/
>> What is the purpose of knowing where the virus infected e-mail came from? In
>> this day and age, most viruses now are using virus infected zombies to send
>> their filth. Chances are if you received 50 different virus infected e-mails,
>> they will come from 45 different IP addresses.
>>
>> Now, if you are talking about your outgoing messages, that is the wrong way
>> to find them, or I should say the least efficient way.
>>
>>
>> John T
>> eServices For You
>>
>>
>> -----Original Message-----
>> From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx]
>> Sent: Tuesday, July 05, 2005 7:11 AM
>> To: [ExchangeList]
>> Subject: [exchangelist] Tracking mails
>>
>> http://www.MSExchange.org/
>>
>> Hi,
>>
>>
>>
>> I want to track incoming and outgoing mails on my exchange 2003 server.
>> Basically i want to know from which IP address the mail has arrived on
>> exchange server. In case of a virus mail , anti virus quarantines the message
>> which is fine, but i would like to know the host which is generating the
>> mails. Basically i can check for message header in outlook options but can i
>> find this info on the server it self. Message tracker doesn't give details
>> about the host it has reviced the mail from.
>>
>>
>>
>> Regards
>>
>> Praveen R
>>
Other related posts:
