We don't have one particular way to determine a sender directly. You would need esstentially a place to start. If you know a sender or subject - you can use the CLI and 'grep' to parse through the mail_logs.
The best way to accomplish this would be to syslog those mail_logs off the appliance, and to a full Linux/Unix host that has extended grep on it.
If there are large messages that are being sent/spammed out - you can also use grep to investigate the mail logs:
http://tools.cisco.com/squish/aBAAD
You can use the grep command in the CLI to find the size of large messages that have passed through the IronPort device. Three commands are listed below to find messages of various sizes.
To find messages that are 100k to 999k in size:
ironport.example.com> grep -i "ready ...... bytes" mail_logs
To find messages that are 1MB to 9.9MB in size:
ironport.example.com> grep -i "ready ....... bytes" mail_logs
To find messages that are 10MB to 99.9MB in size:
ironport.example.com> grep -i "ready ........ bytes" mail_logs
Notes:
* The -i indicates the the search should be case insensitive
* The . characters indicate how many characters the search should match.
In these examples, there are 6 periods in the first command, 7 periods in the second command
and 8 periods in the third command.
One thing to keep in mind - if you are trying to prevent users from spamming out - try using the Rate Limit for Envelope Senders option.
Starting in 7.6 - limit outbound messages for end-users in order to prevent mass outbound emails/spamming.
From the GUI, Mail Flow Policies -> (select Policy, "Relay" for example) -> Mail Flow Limits, expand Rate Limit for Envelope Senders
With in this section – you can set a specified number of mail sent for individuals:
Once this is in place – you will be notified automatically when the limit is hit. Please be sure that you do have System notifications added and set to an admin recipient address. This can be set under System Administration -> Alerts. Add if this is not enabled. Make sure that 'Info' is checked.
From our Configuration Guide…
AsyncOS 7.6 updates Mail Flow Policies with the option to limit number of recipients during a specified time period that a listener will receive from a unique envelope sender, based on the mail-from address. Each listener tracks its own rate limiting threshold; however, because all listeners validate against a single counter, it is more likely that the rate limit will be exceeded if messages from the same mail-from address are received by multiple listeners.
From the Daily Management Guide…
Rate Limiting by envelope sender allows you to limit the number of email messages per time interval. from an individual sender, based on the mail-from address. The Rate Limits report allows you to quickly identify individual senders of large numbers of messages. Use this report to help you to:
Control spam from internal user accounts, for example in cases when a user's credentials are compromised and the account is used to send spam in bulk.
Identify compromised user accounts.
Limit out-of-control applications that use email for notifications, alerts, automated statements, etc.
Avoid damaging your organization’s online reputation and the attendant hassles resulting from this situation
Rate Limiting is configured in Mail Policies > Mail Flow Policies. For more information on rate limiting, see the “Configuring the Gateway to Receive Email” chapter in the AsyncOS for Email Configuration Guide.
These docs are found:
http://www.cisco.com/en/US/products/ps10154/products_user_guide_list.html
Nice article, Robert!
Also, from a reporting perspective this will give you a good idea who your spammers are.
Monitor > Reporting > Internal users
