2

We have had issues with compromised Exchange accounts sending a large amount of unsolicited e-mails out. We have mitigated this by using a cloud e-mail gateway that does a better job in detecting these outgoing messages as to not hurt our e-mail reputation.

However, we would still like to detect any abnormal e-mail activities. One idea is a report of the Exchange accounts with the most outgoing message.

Any idea on how to do this? Or a similar stat that may be indicative of an account being compromised?

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
  • You want just smtp outbound or internal top "talkers" too? And, is your email gateway the ONLY way out for your email for sure or just your Exchange smart host? – TheCleaner Jun 01 '14 at 18:32
  • Correct. The cloud gateway is the Exchange smarthost. Since we are focusing on compromised authenticated Exchange accounts, the Exchange stats should suffice for our use-case. – Belmin Fernandez Jun 01 '14 at 22:37
  • Which 3rd party gateway? They should have their own reporting tools that would be better, since it would only focus on external email. I can offer some Exchange specific suggestions if not. – TheCleaner Jun 02 '14 at 02:33
  • We are now using EOP but, since we are not stuck on that, we rather use a report from the on-premise Exchange. – Belmin Fernandez Jun 02 '14 at 12:50

1 Answers1

1

I came up with this PS script today which does the job:

add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010

$output = Get-TransportServer | Get-MessageTrackingLog -Start (get-date).AddDays(-1) -EventID "SEND" -ResultSize Unlimited | Group-Object -Property Sender | %{ New-Object psobject -Property @{Sender=$_.Name;Recipients=($_.Group | Measure-Object RecipientCount -Sum).Sum}} | Where-Object {$_.Recipients -gt 100} | Sort-Object -Descending Recipients | Format-Table -AutoSize Sender,Recipients | Out-String

Send-MailMessage -From sysadmins@example.com -Subject "Exchange senders report: $(Get-Date -UFormat '%a, %D')" -To sysadmins@example.com -Body $output -SMTP mail.example.com

Basically, it send us a report of everyone who has sent e-mail to more than 100 users in total in the past 24 hours.

I then made it a scheduled daily task. This seems to do the trick.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
  • 1
    Look at this one that I found a while back mate...sorry for the delays. If it works for you (modified of course for your need) then feel free to edit your answer and accept your own...http://serverfault.com/questions/367223/exchange-2007-and-2010-weekly-report-of-internal-email-needed – TheCleaner Jun 02 '14 at 18:07
  • Oh thanks! I was trying to keep it as simple as possible but that one certainly gives me ideas. – Belmin Fernandez Jun 03 '14 at 11:24