Logon User Column in Event Log RSS

1

Dear friends,

It's been forever since I've posted. One of my clients was able to avert a disaster by using ORF's recipient blacklist by restricting the recipient to their own domain only.

I recall seeing at some point the login user account in the event log used by the offending external senders to external accounts, essentially using an AD account to simulate open relay.

I cannot find that feature anymore.

Please advise.

by hagop.nalbandian 5 years ago
2

@hagop.nalbandian: Unfortunately, in Exchange 2007 and newer versions, ORF is no longer able to log the username of the compromised account which is used by a spammer to relay emails to external recipients. Exchange will only tell ORF whether the session is authenticated or not. This is because it is not the user which is authenticated, but the session itself (so ORF will log "Authenticated session, type: organization." instead of the actual user name used for the authentication).

I recommend checking the Exchange Delivery Reports for the destination addresses of these outgoing spam emails, which should indicate the user name of the compromised account (I think):

http://blogs.technet.com/b/exchange/archive/2010/01/13/3409181.aspx
http://howdouc.blogspot.hu/2010/08/user-message-delivery-reports-in.html

To prevent user accounts from being compromised you should

* enforce a strong password policy (i.e., passwords should be long, should include uppercase and lowercase characters, special characters, numbers, etc. and should be changed often)
* make sure you do not have active "test" accounts in your system with weak passwords (like "test", "123456", etc.)
* secure the server and clients with up-to-date resident anti-virus and other security software which prevent passwords from leaking out via keyloggers, Trojans, worms, etc.

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

3

Shouldn't the logon not be logged within the SMTP Receive Log if enabled on the receive connectors? This sould be easy to find out. Not as nice as the ORF Logviewer, but readable.

Regards
Norbert

by NorbertFe 5 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed