Tracing Outlook client activity to IP address 1

[grubs4fishn]

I have a bot on an internal pc that kicks off a few outbound SPAM messages per day. I want to track it down to it's netbios name or IP address for remediation purposes. I currently see no way to accomplish this. I have tried EXMON.EXE but it does not gather anything helpful. I can see the NDRs generated by the bot in the application logs, but nothing there to identify the source. Any help here would be greatly appreciated. I have a packet sniff of the behavior, but am not sharp enough to make much out of it. Thanks in advance..

 

[silentsam33]

Look at the exchange server logs, the client IP address is listed.

 

[grubs4fishn]

Can you be more detailed. I looked there first. I see no client server entries in the event logs. There may be a way to crank up the logging, but it is very complex what you can do there and be default most loging is turn off.

 

[silentsam33]

I did not mean the event logs, but the server tracking logs (if you have them enabled). They are server_name.log. Look on your exchange server in ESM and look at the properties of the server. It will show all traffic going in/out of the exchange server.

 

[Zelandakh]

SilentSam - that's nicely put, concise and helpful. Have a star from me for helping others.