I am the email administrator where I work and over the summer there has been an onslaught of phishing email specifically targeting our Windows Domain credentials. It's probably not a shock when I say that people fall for this and as such we run into times when compromised accounts are used to send spam out through our servers.

One tool I've found helpful is LogParser from Microsoft. Once I get an alert from the log file monitor program that runs (I'll post the source in a later article) I use LogParser to search our message tracking logs for the person who has the hacked account.

At that point I disable the account and block any outbound messages from them. Usually by that time it's too late, but it gives the user the chance to call our Help Desk for instructions on how to change their password and get a lecture about how one should never give out passwords in email. Below is the query I run to get back a list of users and unique subject lines and the counts of events. Keep in mind that the count column is for all Exchange events. Each successful messages generates somewhere around 5 or 6 events. For a list of Exchange events and what they mean, check out this page.

select sender-address,message-subject,count(*)
from **TrackingLogFilePath**
group by Sender-address,message-subject
order by count(*) desc

Save the above to a file and run logparser from the command line: logparser.exe file:**fileName** -i:w3c -o:datagrid or whatever output format you want. See the logparser help for output formats.