Best way to enable logs to catch a suspicious spammer inside org

[Marlon Brown]

I received reports that somebody is sending spam from inside my
organization. Currently the IP address that is being reported as the spammer
is not active (not assigned in my DHCP server or DNS). All I know is that
the suspect belongs to my IP address range in one of my workstation subnets.

I already enabled logging on thet Exchange servers, but I am wondering what
would be the best way to track certain IP address for future investigation ?
For example, because the DHCP client will get a random IP address, I would
like to enable logs in a way that I can come back later and match such
IPaddressReportedAsSpam to my existing servers to find out who was using
that workstation ?
Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
servers ?

 

[Herb Martin]

I received reports that somebody is sending spam from inside my
organization. Currently the IP address that is being reported as the spammer
is not active (not assigned in my DHCP server or DNS). All I know is that
the suspect belongs to my IP address range in one of my workstation

subnets.

Reported how?

Actually you probably know WHICH subnet as that IP
is probably valid but manually assigned by the spammer.

SMTP, for instance, is a TCP service which means that it
is impractical for the spammer to use any other address
than the one it uses in the TCP CONNECTION to the SMTP
server.

So if the SMTP server records the address it much be
valid -- this is ignoring relays from other SMTP servers
but if it is all in your LAN that is not a big issue (there
either isn't another or you move the other SMTP server
logs.)

I already enabled logging on thet Exchange servers, but I am wondering what
would be the best way to track certain IP address for future investigation ?
For example, because the DHCP client will get a random IP address, I would
like to enable logs in a way that I can come back later and match such
IPaddressReportedAsSpam to my existing servers to find out who was using
that workstation ?

If it isn't being assigned by DHCP, what makes you think the
spammer didn't just MAKE IT UP.

He must however be on the (physical) segment with
that subnet.

Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
servers ?

DNS is easy -- debug logging on the server properties.

DHCP? I think so but have never needed it.
[/QUOTE]

 

[Jeff Cochran]

I received reports that somebody is sending spam from inside my
organization. Currently the IP address that is being reported as the spammer
is not active (not assigned in my DHCP server or DNS). All I know is that
the suspect belongs to my IP address range in one of my workstation subnets.

First, how do you know this?

I already enabled logging on thet Exchange servers, but I am wondering what
would be the best way to track certain IP address for future investigation ?

Logging, of course. Journalling would also possibly help. Block port
25 in your firewall for all systems except Exchange and review your
firewall logs.

For example, because the DHCP client will get a random IP address, I would
like to enable logs in a way that I can come back later and match such
IPaddressReportedAsSpam to my existing servers to find out who was using
that workstation ?

You might write a database record for logins in a login script,
tracking IP, time and user ID.

Is there a way to do logging level on the Win2003 DHCP or Win2003 DNS
servers ?

Logging level? You can audit login/logout events. As well as almost
anything else.

Best bet is to get a copy of the alleged spam and track it.

Jeff

 

[Marlon Brown]

First, how do you know this?

==>Reported by two independent agencies that spam is being generated from a
workstation in my domain. I see the headers of such spam mail and because
the claim coincided with an workstation IP range in which SMTP is allowed
for such subnet and because I had problems with users from same subnet in
the past, I think the report is somewhat credible and I would like to
investigate this.
==> Apparently the Exchange servers were not used as a relay, therefore the
SMTP logging wouldn't help much.

Logging, of course. Journalling would also possibly help. Block port
25 in your firewall for all systems except Exchange and review your
firewall logs.


You might write a database record for logins in a login script,
tracking IP, time and user ID.

==>True, but the login script option wouldn't help if the suspect is logging
on locally (techies are users on such subnet and they normally have the
local administrator password)

 

[Herb Martin]

First, how do you know this?

==>Reported by two independent agencies that spam is being generated from a
workstation in my domain. I see the headers of such spam mail and because
the claim coincided with an workstation IP range in which SMTP is allowed
for such subnet and because I had problems with users from same subnet in
the past, I think the report is somewhat credible and I would like to
investigate this.

You should see a pattern -- we both wanted to know
how you knew the IP was invalid (which is really not
the case as far as we can tell from your report otherwise.)

How many machines do you physically have in that subnet?

 

[Jeff Cochran]

Some of the information below would have saved time in the first round
of questions/suggestions.

Okay, it's not passing through Exchange and you allow SMTP out from
individual workstations. Plus the offending user may be a local
admin.

That means you have only your firewall that's of use. I'd block SMTP
out from any but authorized senders/servers. At the least, monitor
your firewall logs for traffic on port 25 from the LAN to WAN.
Configuring an internal IDS system may help as well.

Jeff