Hello, is there a way to track the originating PC(client hostname, ip, time, etc) for specific messages in Exchange 2003?. message tracking center is useless as it only includes exchange side logs that simply tell me that the mail is there and delivered, smtp logs are equally useless as workstations use outlook. I've been trying to found a log setting or something that provides true end-to-end mailflow visualization but found a complete lack of it. I'm having a problem with unwanted rogue mails that apparently originate from a certain mailbox(that's an alias for a dist. list btw) but no trace of them exist on the machine that has that alias associated(in the from).

On Wed, 9 Feb 2011 13:57:44 +0000, Eliminateur wrote: >is there a way to track the originating PC(client hostname, ip, time, etc) for specific messages in Exchange 2003?. > >message tracking center is useless as it only includes exchange side logs that simply tell me that the mail is there and delivered, smtp logs are equally useless as workstations use outlook. > >I've been trying to found a log setting or something that provides true end-to-end mailflow visualization but found a complete lack of it. That's about the size of it. >I'm having a problem with unwanted rogue mails that apparently originate from a certain mailbox(that's an alias for a dist. list btw) What does that mean? >but no trace of them exist on the machine that has that alias associated(in the from). If they aren't coming from a SMTP client then the sender must have "Send As" permission on the mailbox that is the originator. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Rich, i'm pretty dissapointed that a enterprise-level mail server solution does not have complete end-to-end mailflow tracing, a huge security gaping hole. What's the point of using MAPI when it's untraceable(oh well, i can think of interesting uses of that aspect) Every day a huge chunk of mails are originating from a mailbox alias(user has a mail alias and uses send as), smtp gateway logs show them all outgoing to a large portion of the address lists, the machine that has the outlook client that uses the alias does not has those mails in the sent folder. i need to trace where those mails have originated in the LAN: IP + hostname, username, mail client ad version, etc

have you tried Exmon?

On Fri, 11 Feb 2011 17:18:27 +0000, Eliminateur wrote: >i'm pretty dissapointed that a enterprise-level mail server solution does not have complete end-to-end mailflow tracing, a huge security gaping hole. Expressing your disappointment to me isn't going to help. I don't work for MS. >What's the point of using MAPI when it's untraceable(oh well, i can think of interesting uses of that aspect) While the machine may not be identifiable, the sender is. You can also run ExMon and get the client-provided information (including the IP address). You can also try "get-logonstatistics". The "clientipaddress" is listed in the output. >Every day a huge chunk of mails are originating from a mailbox alias(user has a mail alias and uses send as), Okay -- who else has that person's password? It's either generated by the account that 'owns' the mailbox or from the person that has the "Send As" permission, and you know who they are. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Eliminateur, Agree with Rich. In Exchange 2007 and Exchange 2010, you can use command “get-logonstatics” to list the “clientipaddress”. You can get more information from this document: Get-LogonStatistics http://technet.microsoft.com/en-us/library/bb124415(EXCHG.80).aspx In Exchange 2003, if you want to know the “clientipadreess” you can use ExMon, it will list of all distinct IP address that are used by MAPI clients. Here are some related links for you: Microsoft Exchange Server User Monitor http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=9a49c22e-e0c7-4b7c-acef-729d48af7bc9 Microsoft Exchange Server User Monitor http://technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx Introducing the Microsft Exchange User Monitor (Exmon) tool http://msexchangeteam.com/archive/2005/04/06/403409.aspx Thanks, EvanPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.