Recently we released an email reporting solution that provides in depth reporting on exchange logs. Releasing an exchange log analyzer on the surface may not seem all that innovative, however we did it with a big twist. This isn’t just an “email tracker” as it has some significant email security benefits.
Mailinizer is a full Microsoft Exchange log analysis solution that when paired with Scrutinizer provides access to all event types with sophisticated include and exclude filtering. And, since most large enterprises have multiple servers, we made sure that a single report can be run against dozens of mail servers.
Why is our log monitoring software for exchange so different? Well, for one thing we are not limited to basic bar charts or even worse text based output. Most reporting software for exchange solutions provide helpful email reports, however they lack the ability to trend the data over time.
I’ll provide an example on why this is so important. The recent email virus outbreak “here you have” is a simple Trojan Horse: An e-mail arrives in your inbox with the odd-but-suggestive subject line “here you have.” If you click the link in the body of the message you end up downloading and launching a program that spams the same Trojan Horse out to everyone in your address book, flooding and crippling the company’s email server. Ouch!
What’s worse is that leading virus monitors such as McAfee Labs and Symantec didn’t always catch the virus. So, who at your company received the email? Wouldn’t you like to know? Here is how we used Mailinizer within Scrutinizer to track this email threat at Plixer.
First, I logged into Scrutinizer, clicked on “Top Mail Servers”, clicked on one of our Microsoft Exchange mail servers and selected a report called ‘Subjects’ which shows the top subjects of emails during the time frame selected. Click on the image below to expand it.
Below is the ‘Subjects’ report. Notice that “here you have” is the top subject. I clicked on this subject and ran a report for the top ‘Recipients” receiving the most emails with this subject.
Notice below that the filter “Here you have” appears on the left. I can see all the email addresses that received an email with this subject. Look closely at the little spike at the beginning of the trend.
I wanted to narrow in on the little spike in the email traffic report just prior to 9:26AM. So I took my mouse and dragged over the data point to zoom in on the time frame as shown below. This is why trends are important, it’s often easier to see when a problem began.
Looks like this email was first received by raul[at]plixer.com. Below I changed the Report Type to “Conversations by Subject” to see who Raul may have received this virus from.
Behold, the source of the virus was an email address of redmoon5000[at]hotmail.com as shown below.
Thankfully, Raul knew enough not to click on the link in the email and warned the others. Email rule of thumb: never trust unsolicited e-mail, treat all attachments with caution and don’t click links in unsolicited e-mails.
Amy Kudwa – Department of Homeland Security Spokeswoman.
A Clever Technique
[In the “here you have” virus there are differences compared to old-style worms, starting with it being served in a confusing range of variants, with different subject lines and offered download lures. Worms from the early part of this decade also attacked using attachments whereas ‘Here you have’ adopts the contemporary technique of directing people to remote servers. These techniques give it a more Trojan-like character in that the payload can be varied to a range of possible end effects that will take time to work out. The polymorphism of the email attack makes it harder to block using simple rules.] Source: ‘Here you have’ worm – email security fails again by John E. Dunn
Contact Plixer if you would like to evaluate the Microsoft Exchange log reporting abilities of Mailinizer. It takes exchange reporting to a new level.