Live Ransomware samples Subject, Sender August/July 2016 Switzerland

An overview what Swiss hospitals get in these days?

If you still don't get it and understand how critical this point is:

  • Budget is NOT the limit to use an attachment Analyze sandbox or not.
  • Modern version of Cerber SPREAD through Share Credentials from Microsoft Windows and jump to all clients. A customer with 13'000 clients was infected in Asia in a few hours.
  • If you are above 100+ employees or if you think your business is important BUY a Sandbox for Mail Analyze and use Mcafee TIE/ATD for Files.
  • If you are too small > No solution. Do not accept attachment anymore! The step to take all Mail Flow and Exchange to the cloud will not help you! Spend massive money in security or take the risk that you close your business once because of Ransomware

http://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomware-attack-report/article/505845/ (June 2016)

Updated: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.

Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan's platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.

http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx

http://www.butsch.ch/post/RansomwareDeutschlandSchweiz-Healthcare-Deutscher-Bund-warnt-und-reagiert.aspx

http://www.butsch.ch/post/200216-Ransomware-Locky-Trojan-Germany-high-infection-rates.aspx

https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html

 

The malware was sent from THOSE company's listed. The sender address where spoofed/Forged.

Date

Time

Client

Message

From

27.07.2016

04:44:34

mx2.ait.ac.at [62.218.164.132]

The file Alphabet Incorporation.docx is infected with MSWord/Phishing.C97F!phish.

anja.koengeter@ait.ac.at

16.08.2016

13:44:58

[62.152.169.139]

The file dhl_bestellung.docx is infected with JS/Nemucod.AAP!tr.dldr.

buro@dhl.com

20.07.2016

13:40:36

mo4-p03-ob.smtp.rzone.de [81.169.146.172]

The file Paketnummer0221036778.zip is infected with JS/Ransom.AP!tr.

c.zaehringer@microtracer.de

16.08.2016

13:31:43

fysiohoevensevld.demon.nl [80.100.200.39]

The file dhl_rechnung.docx is infected with JS/Nemucod.AAP!tr.dldr.

donotreply@dhl.com

18.07.2016

17:34:31

host-212-68-196-182.dynamic.voo.be [212.68.196.182]

The file coop.ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:30:10

mail.grosvenor-carpets.co.uk [91.135.7.205]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:20:25

91.98.235.122.pol.ir [91.98.235.122]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:09:24

gw.paph.co.uk [82.33.219.82]

The file coop.ch_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:07:35

[82.79.49.226]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

17:01:47

gw.paph.co.uk [82.33.219.82]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:54:46

gw.paph.co.uk [82.33.219.82]

The file coop_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:52:15

[82.78.203.146]

The file coop.ch_quitung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:39:59

82-76-211-44.rdsnet.ro [82.76.211.44]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:39:40

gw.paph.co.uk [82.33.219.82]

The file coop.ch_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

16:07:52

82-76-211-44.rdsnet.ro [82.76.211.44]

The file coop_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

14:45:18

host-48-166-108-91.as10.ldn.uk.sharedband.net [91.108.166.48]

The file coop.ch_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

14:29:21

host-212-68-196-182.dynamic.voo.be [212.68.196.182]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:49:33

91-189-60-54.riz.pl [91.189.60.54]

The file coop_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:36:58

static.imatel.es [91.200.117.76]

The file coop_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

18.07.2016

13:13:35

91-189-60-54.riz.pl [91.189.60.54]

The file coop_ch_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

info@coop.ch

15.08.2016

15:41:43

static-84-42-159-115.net.upcbroadband.cz [84.42.159.115]

The file bestellung_15_08_2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

15:18:33

[193.85.159.72]

The file rechnung_15_08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

13:19:41

148.63.249.5.rev.vodafone.pt [5.249.63.148]

The file bestellung_15_08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

15.08.2016

13:12:11

148.63.249.5.rev.vodafone.pt [5.249.63.148]

The file zahlung_15.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@credit-suisse.com

16.08.2016

12:12:37

fysiohoevensevld.demon.nl [80.100.200.39]

The file Zahlung_DHL.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@dhl.com

24.08.2016

06:39:32

ncr-100-66.primenet.in [203.115.100.66]

The file PRIVATE CASH.zip is infected with W32/Inject.ABHZO!tr.

info@infobitsystem.com

09.08.2016

17:23:43

88.250.40.151.static.ttnet.com.tr [88.250.40.151]

The file zahlung_09.08.2016.docx is infected with Malware_Generic.P0.

info@post.ch

09.08.2016

17:04:24

[88.208.35.108]

The file zahlung_09.08.2016.docx is infected with Malware_Generic.P0.

info@post.ch

09.08.2016

16:57:18

[86.34.227.40]

The file quittung_09.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

16:36:59

80.179.6.66.static.012.net.il [80.179.6.66]

The file zahlung_09.08.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

14:51:07

llamentin-656-2-209.w81-248.abo.wanadoo.fr [81.248.1.209]

The file zahlung.docx is infected with JS/Nemucod.AAP!tr.dldr.

info@post.ch

09.08.2016

16:08:59

comox.a-enterprise.ch [62.12.150.213]

The file rechnung 09_Aug.docm is infected with WM/Obfuscated.V!tr.

m12e@bluewin.ch

09.08.2016

15:46:01

zhhdzmsp-smtp14.bluewin.ch [195.186.136.32]

The file rechnung 09_Aug.docm is infected with WM/Obfuscated.V!tr.

migrol.stans@bluewin.ch

19.07.2016

14:45:56

[189.126.194.34]

The file migros_rechnung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:39:17

fysiohoevensevld.demon.nl [80.100.200.39]

The file migros_zahlung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:37:47

[181.49.220.34]

The file migros_quittung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

14:25:22

[181.49.220.34]

The file migros_quittung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

19.07.2016

13:47:29

[181.49.220.34]

The file migros_bestellung.doc is infected with WM/Agent.DWX!tr.

no-reply@migros.ch

20.07.2016

17:30:54

mail.ofekltd.co.il [81.218.132.237]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

noreply@paypal.com

20.07.2016

16:23:30

mail.ofekltd.co.il [81.218.132.237]

The file paypal_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

noreply@paypal.com

28.07.2016

15:58:43

ms1.webland.ch [92.43.217.101]

The file copier@asa-spitaeler.ch_20160720076718.docm is infected with WM/Agent.BJC!tr.dldr.

no-reply=23=copier@asa-spitaeler.ch

16.08.2016

15:38:36

fysiohoevensevld.demon.nl [80.100.200.39]

The file dhl_packet_16.08.2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

paket@dhl.com

16.08.2016

13:14:02

[62.152.169.139]

The file dhl_packet_16_08_2016.docx is infected with JS/Nemucod.AAP!tr.dldr.

reply@dhl.com

27.07.2016

14:00:52

expertno-analit-zentr.ch.govorit.ru [89.221.61.75]

The file Paypal_Zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.ch

27.07.2016

13:53:50

expertno-analit-zentr.ch.govorit.ru [89.221.61.75]

The file Paypal_Zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.ch

20.07.2016

16:12:32

host81-137-222-56.in-addr.btopenworld.com [81.137.222.56]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

15:54:40

cpc87465-finc19-2-0-cust332.4-2.cable.virginm.net [82.17.37.77]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

15:20:16

cpc87465-finc19-2-0-cust332.4-2.cable.virginm.net [82.17.37.77]

The file paypal_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

20.07.2016

14:41:39

lmontsouris-657-1-208-29.w80-11.abo.wanadoo.fr [80.11.48.29]

The file paypal_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@paypal.com

21.07.2016

16:38:27

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

16:04:30

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

16:01:00

82-137-118-134.ip.btc-net.bg [82.137.118.134]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:58:54

host81-133-60-254.in-addr.btopenworld.com [81.133.60.254]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:34:28

82-137-118-134.ip.btc-net.bg [82.137.118.134]

The file zurich.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

15:08:05

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

14:13:25

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:28:41

mail.aretilaw.com [81.4.136.98]

The file zurich.com_bestellung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:16:01

mail.aretilaw.com [81.4.136.98]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:04:58

166.109.94.80.dynamic.monaco.mc [80.94.109.166]

The file zurich.com_rechnung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

21.07.2016

13:00:48

host81-133-60-254.in-addr.btopenworld.com [81.133.60.254]

The file zurich.com_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

service@zurich.com

26.07.2016

11:36:01

lputeaux-657-1-16-200.w90-63.abo.wanadoo.fr [90.63.199.200]

The file viagogo.com_zahlung.docx is infected with JS/Nemucod.C060!tr.dldr.

ticketalerts@info.viagogo.com

20.07.2016

13:17:02

[81.28.170.24]

The file zoo.ch_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

zoo@zoo.ch

20.07.2016

12:54:45

[81.28.170.24]

The file zoo.ch_quittung.docx is infected with JS/Nemucod.C060!tr.dldr.

zoo@zoo.ch

Exchange: Public Folder / System Folder replicate which ones?

This is an often question we had seen and there is a KB which gives a good overview which folders are from what version of Exchange.

Sadly The Microsoft Script ".\AddReplicaToPFRecursive.ps1 -server "SBSERVER2" -TopPublicFolder "\non_ipm_subtree" -ServerToAdd "SBSERVER2"" does not handle that KB or has the knowledge what to replicate and not.

We had a case where the OLD Exchange 2010 "System Folders" under "\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1" was replicated from 2010 to a replaced DAG member 2010. The customer also had

Mcafee Security for Exchange 8.5 P1 running which lets you exclude Public Folder for Mailbox Scanning but NOT on the HUB function. Because we had a file filter for .JS the replication files triggered an alert.

 

Here is the alert because of the JS extension of replication of old Exchange 2000 public folder structure:

Datum/Zeit gesendet

  

08/04/2016 03:04:13

Betreffend

  

Folder Content Backfill Response

Von

  

PF12@butsch.ch

An

  

PF13@butsch.ch

Das wurde gemacht

  

Deleted

Grund

  

File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter; File Filter (ctrl_Tree20.js; ctrl_View20.js; dlg_anr.js; dlg_ANR20.js; dlg_gal.js; dlg_GAL20.js; dlg_MoveCopy20.js; dlg_NewFolder20.js; dlg_Options20.js; dlg_recurrence.js; dlg_Recurrence20.js)

Dateigrösse

  

329113

Datei/File

  

ctrl_Tree20.js; ctrl_View20.js; dlg_anr.js; dlg_ANR20.js; dlg_gal.js; dlg_GAL20.js; dlg_MoveCopy20.js; dlg_NewFolder20.js; dlg_Options20.js; dlg_recurrence.js; dlg_Recurrence20.js

Server auf dem dies gemacht wurde

  

SBBCARGEX22

Task

  

OnAccess (Transport)

McAfee DAT welches verwendet wurde

  

8246.0000

 

 

Exchange OLE DB Provider

https://msdn.microsoft.com/en-us/library/aa142634(v=exchg.65).aspx

EXOLEDB Introduction

EXOLEDB creates a number of system folders under the NON_IPM_SUBTREE during the Accept Clients phase of message database (MDB) initialization. Some of the folders remain for historic reasons, but most have useful purposes. If the folders are deleted, it can affect the server. None of these folders should be replicated. The folders that are created include the following:

  • \NON_IPM_SUBTREE\schema-root\
  • \NON_IPM_SUBTREE\schema-root\Default
  • \NON_IPM_SUBTREE\schema-root\Microsoft\
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\controls
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\img
  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\views
  • \NON_IPM_SUBTREE\StoreEvents\
  • \NON_IPM_SUBTREE\StoreEvents\GlobalEvents
  • \NON_IPM_SUBTREE\StoreEvents\Internal
  • \NON_IPM_SUBTREE\OWAScratchPad

In all cases, subfolders named with the GUID correspond to the MDB object with the same GUID.

The first folders created are the schema folders.

Schema-Root

The following list introduces the schema-root:

  • \NON_IPM_SUBTREE\schema-root\

    This was introduced in Exchange 2000 Server.

  • \NON_IPM_SUBTREE\schema-root\Default

    This was introduced in Exchange 2000 Server Service Pack 1 (SP1).

  • \NON_IPM_SUBTREE\schema-root\Microsoft\

    This was introduced in Exchange 2000 Server SP1.

  • \NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1

    This was introduced in Exchange 2000 Server SP1.

The following shows a typical schema path for a public MDB:

  • File://.BackOfficeStorage/<domain>/<TLHName>/NON_IPM_SUBTREE/schema-root/microsoft/exchangeV1

The private MDB schema path is under the system attendant mailbox.

EXOLEDB supports multiple schemas, or property type definitions. These folders support the Exchange Web Store development platform. The idea was that folder items could reference various versions of the schema and exist alongside each other. At one point in Exchange 2000 Server, schema files were in the schema root folder, and changes to the schema effectively propagated to all items. Because this lead to problems in the application development workspace, where each item needed to be handled to remove or add props as appropriate, Microsoft adopted a versioning method. Under schema-root, Microsoft creates subfolders with application and version elements to allow effectively seamless upgrades. EXOLEDB watches the schema folders for changes, so that it can propagate the entries, dump the schema cache, and repopulate as processing occurs. The \schemaroot\default folder is where normal folder items obtain their schema, and the schema-root folder is flagged as pointing to the ExchangeV1 folder. EXOLEDB populates the schema entries from the .xml files, which are processed by an event sink, EXSCHEMA.EXE. The schema event sink binding cannot be deleted or removed, because it does not have an entry in the EventBindings folder like most events.

EXCHWEB, Views, IMG, and Controls

The following list introduces EXCHWEB, views, IMG, and controls:

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\controls

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\img

\NON_IPM_SUBTREE\schema-root\Microsoft\exchangeV1\exchweb\views

Introduced in Exchange 2000 Server SP1, these items were not populated in Exchange 2000 Server Service Pack 3 (SP3), and they are not populated in Exchange Server 2003.

For the local store to open items that reference Microsoft Outlook® Web Access control functionality, the files must be in a folder that can be synchronized. These folders once contained copies of the Web data for Outlook Web Access to allow LIS stored items to open, but have never actually been used outside of LIS.

Next, EXOLEDB starts the event binding system, which creates StoreEvents.

 

StoreEvents

All store event folders described in the following list have been present since Exchange 2000 Server:

  • \NON_IPM_SUBTREE\StoreEvents\
  • \NON_IPM_SUBTREE\StoreEvents\GlobalEvents
  • \NON_IPM_SUBTREE\StoreEvents\Internal

This is the event binding folder, where EXOLEDB stores information on events built to a specific MDB. At startup, EXOLEDB must enumerate the events here, which can lead to long store startup times with large event sink numbers. Exchange Server 2003 performance in this area is greatly improved, but time to mount an MDB is still affected by the number of rows. Each binding is validated for class, having a valid event method, such as onsave or ontimer, valid clsid, and sink parameters. Events with a match class of ANY can only be registered in the GlobalEvents subfolder.

After creating the schema folders and starting the event bindings system, EXOLEDB creates the Outlook Web Access scratch pad.

OWAScratchPad

 

The OWAScratchPad was introduced in Exchange 2000 Server SP1. It appears as follows:

  • \NON_IPM_SUBTREE\OWAScratchPad

Posts have to start out somewhere to have attachments, and for public store logons, that place is the Outlook Web Access scratch pad. Because Distributed Authoring and Versioning (DAV) does not cross MDB operations, you need a point on every mailbox where you can always write posts to, so that you can support adding attachments. The posts are staged in the OWAScratchPad until all attachments are added, or they are saved. The size limit on the Outlook Web Access scratch pad controls the size of attachments that can be added through Outlook Web Access. Attempts to post larger messages should result in the following error:

  • This item exceeds the maximum size defined for this folder and cannot be saved. Contact your administrator to have the folder limits increased.

The size of OWAScratchPad is always reset to 1 megabyte (MB) at EXOLEDB initialization if the registry key HKLM\System\CurrentControlSet\Services\MSExchangeWeb\OWA REG_DWORD value "Message Size Limit" is not set. This is required for Microsoft SharePoint® Portal Server, because EXOLEDB has no idea if you are running in magma mode.

Outlook Web Access posts to the scratch pad are done in flat URL format, meaning they directly reference the folder and message. This is to support deep vroots where the friendly URL might be too long.

EXOLEDB Folders FAQ

Consider the following frequently asked questions (FAQs).

What causes duplicate system folders?

There are two categories for this question:

  • Active Directory objects   When a store is deleted, you have no way to tell Active Directory that the public folder objects went away. Then, when folders are re-created, they do not get attached to the corresponding Directory Service objects. New Directory Service objects are created.
  • Actual folders   If the folders are set to replicate, and the store in question is deleted, EXOLEDB will re-create the folders on startup, and replication can then create a second duplicate of any such folders. This causes problems with event bindings. Deleting the duplicate folders through friendly URLs is dangerous, because the two will often have duplicate friendly URLs.

Why do folders get strange names?

When the number of system folders with the same number grows, a random number is appended to the Directory Service proxy to make it unique, resulting in names like controls12345678.

Why can I not delete folders?

If you were to delete the folders, EXOLEDB would put them back. Also, most of these folders have uses that will adversely affect the operation of the server if not present.

How do I fix missing schema folders?

If schema folders are missing, that is, not present under the ipm subtree, setting the following registry key to a REG_DWORD value of 0, causes the schema to be repopulated:

HKLM\System\CurrentControlSet\MSExchangeIS\Parameters\Schema\<MDBGUID>

What permissions are used on schema folders?

EXOLEDB automatically grants everyone read access to schema folders. This access control list (ACL) could be modified, but would be deleted if schema propagation were re-triggered.

Do you need to replicate those folders when servers are decommissioned?

You do not have to replicate folder content as part of the replicate system folders procedures.

For More Information

For more information, see the following Exchange blog entry:

Exchange: Addresslist and Dynamic Distribution Groups in Shell

All you need are working samples not thousands lists and Technet Articles. So here we go with some Exchange Powershell we daily use.

Maybe you want a lists of all fields so you can choose one to use for the filter first.

Get all user info from a certain OU

Starting OU would be:

 

OU=Active,OU=Users_W7,OU=BUTSCH,DC=butsch,DC=ch

Get-ADUser -filter * -SearchBase "OU=Active,OU=Users_W7,OU=BUTSCH,DC=butsch,DC=ch" -Properties * | select-object givenname, sn, displayname, description,office, streetaddress,city,st,postalcode,country, title, Department, company | ConvertTo-Csv –NoTypeInformation

 

Exchange 2010 Addresslist and Dynamic Distribution Groups (E-Mail Distribution)

 

Exchange 2010 Addresslist

Generate Exchange Addresslist with starting OU, OPATH filter for CITY and STREET

new-AddressList -Name 'Mitarbeiter Nestle Suisse – W110' -RecipientContainer 'butsch.ch/BUTSCH/Users_W7/Active' -IncludedRecipients 'MailboxUsers' -Container '\' -DisplayName 'Mitarbeiter Nestle Suisse – W110'

set-Addresslist -identity 'Mitarbeiter Nestle Suisse – W110' -RecipientFilter {(ObjectClass -eq 'user' -and City -eq 'Lausanne' -and StreetAddress -eq 'Roberstenstrasse 133' )}

 

Remark: DO not try to add other additional GAL-addresslists because they will appear in the ROOT of the Adressbook. You can't filter all you can with regular Addresslist and you will be limited when you migrate those to later Exchange versions.

Dynamic Distribution Groups

 

Generate Exchange Dynamic Distribution Groups with OU, OPATH filter for CITY and STREET

This will generate a DynamicDistributionGroup which is located in "'butsch.ch/BUTSCH/Groups/Mail'" and will list all members of OU 'butsch.ch/BUTSCH/Users_W7/Active'. With the second command we filter to show ONLY the employees who have the field city and Streetaddress with a certain value.

 

 

This is a TWO part and it ONLY works in two commands. Forget it and don't try.

 

new-DynamicDistributionGroup -Name 'Alle Mitarbeiter Nestle Suisse' -RecipientContainer 'butsch.ch/BUTSCH/Users_W7/Active' -IncludedRecipients 'MailboxUsers' -OrganizationalUnit 'butsch.ch/BUTSCH/Groups/Mail' -Alias 'Alle_Mitarbeiter_Nestle Suisse'

 

set-DynamicDistributionGroup "Alle Mitarbeiter Nestle Suisse" -RecipientFilter {(ObjectClass -eq 'user' -and City -eq 'Lausanne' -and StreetAddress -eq 'Roberstenstrasse 133' )}

 

If you want to change the FIELD you search for check:

Filterable properties for the -RecipientFilter parameter

https://technet.microsoft.com/de-de/library/bb738157(v=exchg.150).aspx

Manage the Members of Distribution Groups

https://technet.microsoft.com/en-us/library/hh859493(v=exchg.141).aspx

Upgrade Custom LDAP Filters to OPATH Filters

https://technet.microsoft.com/en-us/library/cc164375(v=exchg.141).aspx

 

Exchange 2013: 451 4.7.0 Temporary Server errors. Please Try Again Later. PRX

Problem: Exchange 2013 Mail Stuck and can't get delivered to other Exchange 2013 or WAN.

Error you see: 451 4.7.0 Temporary Server error. Please Try Again Later. PRX

 

 

This is related to some DNS resolution bug. Solving it may include "Old days" HOSTS File ;-)

  1. Check name resolution with nslookup
  2. Check the your Exchange Server has two correct DNS on the NIC-card of the OS (One does not solve it) Use external if you don't have two DC
  3. Change the Default frontend Connector to use fixed DNS
  4. Change the Exchange Server itself to user fixed DNS
  5. Add the exchange to the c:\windows\system32\drivers\etc\hosts File as Short and FQDN (See below)

Start ECP

Message Flow

Change the Default Frontend YOURSERVERNAME (With the pencil)

Down below change "All unassigned" to your Exchange 2013 Server IPV4 address"

Change the DNS that Exchange USES (Make it hard coded).

 

ABOVE the one or two Internal DNS and maybe 8.8.8.8 or your providers Uplink DNS

Below your one or two internal DNS

 

This MAY sound confusing but sometimes there is no other way:

Adapt the HOSTS file:

Do this is CMD so you find it ;-)

Add or Change the HOSTS file to:

192.168.X.X Yourexchange2013            [ sample : 192.168.1.20 exc2013-16cas) ]

192.168.X.X YourexchangeFQDNname        [ sample: 192.168.1.20 exc2013-16cas.butsch.ch) ]

 

 

Exchange: Powershell list all user who have a Forward or Redirect active

 

Problem:

In Exchange 2010 users are able to forward E-Mail themself to an external private account. This is a problem because of compliance and if you don't have a DLP (Data Lost Prevention).

There are ways to prevent this (With a Mail Control Rule > Transport rule) or with a DRAC permission set. However then also some technical accounts which HAVE to mailcopy external may get targeted. See below at end for a solution or at least a direction to go.

 

This is what we talk about in Exchange2010 GUI.

Here is how to find out which users in the Organization have such a forward or Redirect active.

Powershell command:

Forwards

foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\edv\exchange_Forward.txt }

Delegates

foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ReDirectTo} | fl MailboxOwnerID,Name,RedirectTo >> d:\edv\exchange_Redirect.txt }

Another query which does not catch all

Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, ForwardingAddress, DeliverToMailboxAndForward

https://blogs.technet.microsoft.com/lystavlen/2012/04/10/how-to-prevent-internal-users-from-autoforwaring-mails-to-external-recipients/

Prevent with RBAC from (Sike Fogarty - BPOS Support)

  1. New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
    Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
    Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter

    Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.

    Assign the Role Assignment Policy to the user(s) desired.