Re: New e-mail attack using valid webmail accounts

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

We use IPSwitch Whats Up Gold.  We have the enterprise version which has
an Exchange monitor that will monitor queues.  However, I abandoned it
and separated the queue monitoring into a WMI monitor in Whats Up Gold,
which is all the special enterprise exchange monitor action does anyway.
You could do the same with any monitoring tool that is capable of
pulling performance counters using WMI or SNMP or even use a VBScript
that is fired off using the task scheduler.

You will find the performance counter to monitor using WMI under SMTP
Server\Remote Queue Length under the instance _Total.

There are other queue monitors you can use as well.  Here is an article
describing a few of them:
http://technet.microsoft.com/en-us/library/bb123740(EXCHG.65).aspx

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael H. Martel
Sent: Thursday, March 06, 2008 9:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New e-mail attack using valid webmail accounts

--On March 5, 2008 9:08:22 PM -0500 "Jenkins, Matthew" 
<matthew.jenkins () FAIRMONTSTATE EDU> wrote:

> Luckily we monitor our queues and were paged when this attack took
place.
> We quickly responded by investigating, disabling the account, and then

What do you use to monitor your queues ?  This sounds like something a
lot 
of sites should be doing.

Thanks!




Michael

--

  --------------------------------o---------------------------------
   Michael H. Martel              | Systems Administrator
   michael.martel () vsc edu         | Vermont State Colleges
   http://www.vsc.edu/~michael    | PH:802-241-2544 FX:802-241-3363