Exchange 2013 SPAM

Hello Everybody,

                       I have exchange server 2013 standard version and I have atleast 10000 emails in my que and I know that its spam. I need to know which user is being used to send spam from my server. In exchange 2007 I have diagnostic logging. How do I enable the diagnostic logging on exchange 2013 with Authentication

Thanks

                 

March 1st, 2015 7:53am

Hi Syed 

Thats a good question 

Probably setting  this could help us to see if it gives any information 

Set-EventLogLevel -Identity "Exchange01\MSExchangeTransport\SmtpReceive" -Level High

Set-EventLogLevel -Identity "Exchange01\MSExchangeTransport\MSExchange Antispam\General" -Level High

Free Windows Admin Tool Kit Click here and download it now
March 1st, 2015 10:00am

Thanks and previously we used to check the logs in event viewer with the log with the event id 1708. How do I see the logs here ? 
March 1st, 2015 10:04am

With events i really don't know we have it in exchange 2013 

 
Possibly Check your tracking logs  filtered in excel sheet- they show "from" addresses in readable format and also you can filter the subject to know you're getting the right compromised  account 

Free Windows Admin Tool Kit Click here and download it now
March 1st, 2015 10:48am

Hello

tip: Get-MessageTrackingLog -recipient "one of spam address" |fl OriginalClientIp

March 1st, 2015 11:04am

Thanks I need to know from which user the mail has been relayed as the ip address is an external one .
Free Windows Admin Tool Kit Click here and download it now
March 1st, 2015 11:12am

Hello

If users use outlook anywhere check iis log if user use smtp check smtp recive connector log.

March 1st, 2015 11:45am

Diagnostic logging was very easy in previous version of exchange its too much complicated now in Exchange 2013.  I want exactly as below which we used to perform in Exchange 2003

  1. Start ESM.
  2. Expand Servers and then right click on your server and choose Properties.
  3. Click on the "Diagnostic Logging" tab.
  4. In the list of "Services" on the right, find "MSExchangeTransport".
  5. In the resulting list choose "SMTP Protocol".
  6. Below the list, change the "Logging Level" to Maximum and click Apply.
  7. Repeat for "Authentication"
  8. Press Apply/OK to close Server Properties.

How can i do the above in exchange 2013

Free Windows Admin Tool Kit Click here and download it now
March 1st, 2015 12:32pm

Hi,

Protocol logging records the SMTP conversations that occur between messaging servers as part of message delivery. You can use protocol logging to diagnose mail flow problems. For more information about Protocol logging in Exchange 2013, please refer to:

https://technet.microsoft.com/en-us/library/aa997624(v=exchg.150).aspx

We can use the Exchange admin center (EAC) to enable or disable protocol logging for Send connectors and Receive connectors in the Transport service on Mailbox servers, and for Receive connectors in the Front End Transport service on Client Access servers. Protocol logging is enabled or disabled on each individual connector. To configure it, please refer to:

https://technet.microsoft.com/en-us/library/bb124531(v=exchg.150).aspx

Regards,

March 2nd, 2015 8:01am

I am not convinced with your answer. The problem is I am having spam in my outgoing  que which is 10000 at the moment,  I need to know which user is authenticated and sending the mails.

Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2015 8:39am

No updates till today ? 
March 3rd, 2015 5:42am

@ moderators dont propose the answers until the thread owner is satisfied with the answer. I am clearly mentioning my problem but no answer till today ? 
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2015 2:56am

Hi,

This is a quick note to let you know that I am trying to involve someone familiar with this topic to further look at this issue. Please wait for the updates and thanks for your understanding.

Regards,

March 8th, 2015 5:11am

Thanks Winnie but its too late now, I think you should involve exchange team look in to the case as lot of users are asking the same question and answer is still pending.

Thanks

Free Windows Admin Tool Kit Click here and download it now
March 8th, 2015 5:19am

Dear Syed,

The event will be triggered only in Exchange 2000/2003 if we enable diagnostics logging 

From exchange  2007 we can search for the authenticated user only through receive connector protocol log as far i know

In receive connector protocol log search for Authenticated\$

If you find any accounts then those should be the compromised accounts

Also i completely agree with you syed why this event logging has been stopped from 2007 which is difficult for admins like us :)

March 8th, 2015 5:26am

Satish thanks for the reply, I think since you are an Exchange MVP you can reach out to the product team and ask them the question, I am sure they should help us.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2015 5:31am

@ Moderator 2 days gone ?? have you managed to get the answer yet ? 
March 10th, 2015 7:40am

No reply yet ??? 
Free Windows Admin Tool Kit Click here and download it now
March 15th, 2015 5:39am

@Moderators !!!!!

             Still no reply , 2 MVPS are striving to get the answers ? 

 

March 23rd, 2015 6:58am

I agree with Sathish, in Exchange 2013, we could only check the message property in queue first and then try locating the same spam message from SMTP receive connector logs on the same date to see if we could find the compromised accounts.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2015 9:19am

I will try checking this and reply you back.
March 24th, 2015 9:40am

Hi Syed,

Do we have any update on this issue? Please feel free to let us know if anything we can help. Thank you.

Free Windows Admin Tool Kit Click here and download it now
April 7th, 2015 2:09am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics