Track who sent email to a particular domain
Exchange 2007I need to find out who is sending email to a specific domain. What is the best way to accomplish this?
August 12th, 2009 8:24pm

Hi,Create a transport rule which monitors all outgoing traffic to the specific domain. Assign it the action to send an BCC to a specified address. Keep in mind that you will need to inform your users that your doing this kind of stuff.Regards,Johanblog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2009 9:28pm

Have you enabled/tried the built-in ExchangeMessage Tracking?To enable it (it is enabledby default on Hub Transportand EdgeServers,but just in case): 1 Open the Exchange 2007 Management Console2 Go to Server Config3 Highlight your Hub Transport or Edgeserver > Right Click > PRoperties4 Go to Log Settings5 Check the 'Enable Message Tracking Logging'(Here youcan alsochange the Default logging path to a drive other than C: needed)To track messages:1 Open the Exchange 2007 Management Console2 Go to Toolbox > Message Tracking and follow the wizard.If you have a spam filter provider handling your incoming/outgoing mail you could use their tracking system or ask them to track the messages to that particular domain for you.Hope that helps.Cheers,Maxim
August 12th, 2009 9:31pm

Thanks for your response Johan. Is there a way to determine who has sent email to a particular domain if there wasn't already a rule in place? Your suggestion about notifying users of this sort of action is duly noted. however, at this time I'm not interested in seeing the content of their message, only who sent to that domain. We are investigating some potentially suspicious activity. Notifying users that we are monitoring messages would tip them off and I'm sure the activity would stop. I need to see who, if anyone has sent to this domain over the past couple of weeks.Trust me when I say, I take the privacy of our user very seriously. The only thing I take more seriously is protecting the security of my company.Kind Regards,Roger
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2009 9:40pm

Thanks Maxim,I have tried to use the EMT, the problem is it wants a complete email address. It won't let me use just the domain name or a wildcard. For example, in the "Recipients" field I've tried to use contoso.com or @contoso.com or *contoso.com or *@contoso.comNone of these work. I have to use user@contoso.com for it to work successfully.Any ideas?Much appreciated.
August 12th, 2009 9:48pm

Try this, in EMS:Get-MessageTrackingLog -Server <HT> -resultsize unlimited |where-object {$_.Recipients -like "*@contoso.com" -AND $_.EventId -eq "Send"}
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2009 10:50pm

Thanks Karl, I tried your suggestion replacing <HT> with "servername" and replacing contoso.com with the domain I'm trying to find. But when I hit enter I just get >>
August 12th, 2009 11:52pm

Nevermind. I left out a "Thank you very much!! That worked!!
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2009 11:53pm

Of course, if you have multiple hub transports, you will have to run the command multiple times :)I could give you another example that will run it for multiple HT'sKarl
August 13th, 2009 12:09am

Thanks, but fortunately we only have one. How does this query determine what date range to run? Does it just go through all the logs? Looks like there's about a months worth.Roger
Free Windows Admin Tool Kit Click here and download it now
August 13th, 2009 12:23am

Yes, it goes through all the logs.Do a Get-Help Get-MessageTrackingLog -Detailed and look at the -Start paramater :)Karl
August 13th, 2009 12:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics