Tracking internal email source
Hello,
is there a way to track the originating PC(client hostname, ip, time, etc) for specific messages in Exchange 2003?.
message tracking center is useless as it only includes exchange side logs that simply tell me that the mail is there and delivered, smtp logs are equally useless as workstations use outlook.
I've been trying to found a log setting or something that provides true end-to-end mailflow visualization but found a complete lack of it.
I'm having a problem with unwanted rogue mails that apparently originate from a certain mailbox(that's an alias for a dist. list btw) but no trace of them exist on the machine that has that alias associated(in the from).
February 9th, 2011 9:06am
On Wed, 9 Feb 2011 13:57:44 +0000, Eliminateur wrote:
>is there a way to track the originating PC(client hostname, ip, time, etc) for specific messages in Exchange 2003?.
>
>message tracking center is useless as it only includes exchange side logs that simply tell me that the mail is there and delivered, smtp logs are equally useless as workstations use outlook.
>
>I've been trying to found a log setting or something that provides true end-to-end mailflow visualization but found a complete lack of it.
That's about the size of it.
>I'm having a problem with unwanted rogue mails that apparently originate from a certain mailbox(that's an alias for a dist. list btw)
What does that mean?
>but no trace of them exist on the machine that has that alias associated(in the from).
If they aren't coming from a SMTP client then the sender must have
"Send As" permission on the mailbox that is the originator.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2011 7:56pm
Rich,
i'm pretty dissapointed that a enterprise-level mail server solution does not have complete end-to-end mailflow tracing, a huge security gaping hole.
What's the point of using MAPI when it's untraceable(oh well, i can think of interesting uses of that aspect)
Every day a huge chunk of mails are originating from a mailbox alias(user has a mail alias and uses send as), smtp gateway logs show them all outgoing to a large portion of the address lists, the machine that has the outlook client that uses the alias does
not has those mails in the sent folder.
i need to trace where those mails have originated in the LAN: IP + hostname, username, mail client ad version, etc
February 11th, 2011 12:25pm
have you tried Exmon?
Free Windows Admin Tool Kit Click here and download it now
February 11th, 2011 1:27pm
On Fri, 11 Feb 2011 17:18:27 +0000, Eliminateur wrote:
>i'm pretty dissapointed that a enterprise-level mail server solution does not have complete end-to-end mailflow tracing, a huge security gaping hole.
Expressing your disappointment to me isn't going to help. I don't work
for MS.
>What's the point of using MAPI when it's untraceable(oh well, i can think of interesting uses of that aspect)
While the machine may not be identifiable, the sender is. You can also
run ExMon and get the client-provided information (including the IP
address).
You can also try "get-logonstatistics". The "clientipaddress" is
listed in the output.
>Every day a huge chunk of mails are originating from a mailbox alias(user has a mail alias and uses send as),
Okay -- who else has that person's password? It's either generated by
the account that 'owns' the mailbox or from the person that has the
"Send As" permission, and you know who they are.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
February 11th, 2011 10:03pm
Hi Eliminateur,
Agree with Rich.
In Exchange 2007 and Exchange 2010, you can use command “get-logonstatics” to list the “clientipaddress”.
You can get more information from this document:
Get-LogonStatistics
http://technet.microsoft.com/en-us/library/bb124415(EXCHG.80).aspx
In Exchange 2003, if you want to know the “clientipadreess” you can use ExMon, it will list of all distinct IP address that are used by MAPI clients.
Here are some related links for you:
Microsoft Exchange Server User Monitor
http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=9a49c22e-e0c7-4b7c-acef-729d48af7bc9
Microsoft Exchange Server User Monitor
http://technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx
Introducing the Microsft Exchange User Monitor (Exmon) tool
http://msexchangeteam.com/archive/2005/04/06/403409.aspx
Thanks,
EvanPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 1:01am