|
|
|
date: Tue, 4 Apr 2006 10:20:01 -0700,
group: microsoft.public.exchange2000.misc
back
How can I track internal email by source IP or Hostname?
I realize exchange doesn't inject message headers on internal email so I'd
like to know if there's a way to track emails by sender IP or hostname.
I'd like to set this up for both exchange 2k and 2k3, but 2k in particular.
I've set some of the exchange diagnostics logs to medium but I don't see
anything regarding actual email transports, mainly just successful mailbox
connections.
If there's a specific diagnostic log I need enabled to track emails and to
track their source, what is it, and level does it need to be set at?
One other thing... Do I need to restart the server or exchange services
after changing the level of logging from lets say, medium to maximum? After
changing the levels, it has no effect until I reboot.
I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
well, but those don't give me the source IPs.
I already know how to look at the headers to track incoming mail from an
external domain. Basically all I want to do is track the workstation that a
domain user sends an email from, that is directed to another domain user.
I'd like to track this regardless of whether the sender uses, outlook, owa,
etc...
Can this be done?
date: Tue, 4 Apr 2006 10:20:01 -0700
author: Ryan
Re: How can I track internal email by source IP or Hostname?
On Tue, 4 Apr 2006 10:20:01 -0700, Ryan
wrote:
>I realize exchange doesn't inject message headers on internal email so I'd
>like to know if there's a way to track emails by sender IP or hostname.
>
>I'd like to set this up for both exchange 2k and 2k3, but 2k in particular.
>I've set some of the exchange diagnostics logs to medium but I don't see
>anything regarding actual email transports, mainly just successful mailbox
>connections.
>
>If there's a specific diagnostic log I need enabled to track emails and to
>track their source, what is it, and level does it need to be set at?
>
>One other thing... Do I need to restart the server or exchange services
>after changing the level of logging from lets say, medium to maximum? After
>changing the levels, it has no effect until I reboot.
>
>I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
>well, but those don't give me the source IPs.
>
>I already know how to look at the headers to track incoming mail from an
>external domain. Basically all I want to do is track the workstation that a
>domain user sends an email from, that is directed to another domain user.
>I'd like to track this regardless of whether the sender uses, outlook, owa,
>etc...
>
>Can this be done?
>
I'm jolly interested in what your business case is for this little
request. Someone may have a decent solution based on what you come
back with. You can't do it in Exchange and it's a complex thing to do
in AD.
date: Tue, 04 Apr 2006 18:26:54 +0100
author: Mark Arnold [MVP]
Re: How can I track internal email by source IP or Hostname?
The company wishing to have these emails tracked by their exchange server is
experiencing some strange email problems. I haven't been able to find a
pattern yet, but there have been emails mass-mailed to all domain users, or
specific distribution lists.
The emails are exact when it comes to the recipient list, so its not a
random list of recipients generated in hopes that one or more may be valid
accounts. All names in the recipient list are valid accounts.
Some of the emails in question are mass-mailed from internal users, who deny
ever having sent them. I believe them, but again, I haven't found a pattern.
I suspect I may be dealing with malware or some sort of mailing engine
installed on one or more of the machines that has dug its way into outlook.
This is the main reason why I'd like track down the source of these emails
without the overload of a packet sniffer. The mail server also has, I
believe, 5 network interfaces and is a 2000 SBS server so packet sniffing
isn't very productive.
We do have software like spybot and ms antispyware on most of the machines,
but all machines are continuously updated with the latest antivirus
definitions from their Symantec Antivirus 10 server. The machines perform
full scans daily, and all are currently clean. (as far as symantec antivirus
is concerned)
I'm not really looking for software to deploy across the network to scan for
malware.... All I want is to track emails by the source workstation in
exchange 2k. There must be some way I can do it...
"Mark Arnold [MVP]" wrote:
> On Tue, 4 Apr 2006 10:20:01 -0700, Ryan
> wrote:
>
> >I realize exchange doesn't inject message headers on internal email so I'd
> >like to know if there's a way to track emails by sender IP or hostname.
> >
> >I'd like to set this up for both exchange 2k and 2k3, but 2k in particular.
> >I've set some of the exchange diagnostics logs to medium but I don't see
> >anything regarding actual email transports, mainly just successful mailbox
> >connections.
> >
> >If there's a specific diagnostic log I need enabled to track emails and to
> >track their source, what is it, and level does it need to be set at?
> >
> >One other thing... Do I need to restart the server or exchange services
> >after changing the level of logging from lets say, medium to maximum? After
> >changing the levels, it has no effect until I reboot.
> >
> >I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
> >well, but those don't give me the source IPs.
> >
> >I already know how to look at the headers to track incoming mail from an
> >external domain. Basically all I want to do is track the workstation that a
> >domain user sends an email from, that is directed to another domain user.
> >I'd like to track this regardless of whether the sender uses, outlook, owa,
> >etc...
> >
> >Can this be done?
> >
>
> I'm jolly interested in what your business case is for this little
> request. Someone may have a decent solution based on what you come
> back with. You can't do it in Exchange and it's a complex thing to do
> in AD.
>
date: Tue, 4 Apr 2006 11:36:06 -0700
author: Ryan
Re: How can I track internal email by source IP or Hostname?
If that is the case make sure your AV software is up to date,
Set a network scanner or sniffer somewhere and sniff the network to see which
Work station is causing the problem,
Ethereal is free, Nmap is free, or get some nice graphical user sniffer to
Determine what kind of packets are traveling and which work station is the
naughty one.
Cheers
oz
--
Best regards, Good Luck
Oz Ozugurlu
____________________________
MCSE 2003 M+,S+, CCNA
Http://www.msexchange911.org
Http://www.consultusa.us (Blog)
"Ryan" wrote:
> The company wishing to have these emails tracked by their exchange server is
> experiencing some strange email problems. I haven't been able to find a
> pattern yet, but there have been emails mass-mailed to all domain users, or
> specific distribution lists.
>
> The emails are exact when it comes to the recipient list, so its not a
> random list of recipients generated in hopes that one or more may be valid
> accounts. All names in the recipient list are valid accounts.
>
> Some of the emails in question are mass-mailed from internal users, who deny
> ever having sent them. I believe them, but again, I haven't found a pattern.
>
>
> I suspect I may be dealing with malware or some sort of mailing engine
> installed on one or more of the machines that has dug its way into outlook.
> This is the main reason why I'd like track down the source of these emails
> without the overload of a packet sniffer. The mail server also has, I
> believe, 5 network interfaces and is a 2000 SBS server so packet sniffing
> isn't very productive.
>
> We do have software like spybot and ms antispyware on most of the machines,
> but all machines are continuously updated with the latest antivirus
> definitions from their Symantec Antivirus 10 server. The machines perform
> full scans daily, and all are currently clean. (as far as symantec antivirus
> is concerned)
>
> I'm not really looking for software to deploy across the network to scan for
> malware.... All I want is to track emails by the source workstation in
> exchange 2k. There must be some way I can do it...
>
> "Mark Arnold [MVP]" wrote:
>
> > On Tue, 4 Apr 2006 10:20:01 -0700, Ryan
> > wrote:
> >
> > >I realize exchange doesn't inject message headers on internal email so I'd
> > >like to know if there's a way to track emails by sender IP or hostname.
> > >
> > >I'd like to set this up for both exchange 2k and 2k3, but 2k in particular.
> > >I've set some of the exchange diagnostics logs to medium but I don't see
> > >anything regarding actual email transports, mainly just successful mailbox
> > >connections.
> > >
> > >If there's a specific diagnostic log I need enabled to track emails and to
> > >track their source, what is it, and level does it need to be set at?
> > >
> > >One other thing... Do I need to restart the server or exchange services
> > >after changing the level of logging from lets say, medium to maximum? After
> > >changing the levels, it has no effect until I reboot.
> > >
> > >I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
> > >well, but those don't give me the source IPs.
> > >
> > >I already know how to look at the headers to track incoming mail from an
> > >external domain. Basically all I want to do is track the workstation that a
> > >domain user sends an email from, that is directed to another domain user.
> > >I'd like to track this regardless of whether the sender uses, outlook, owa,
> > >etc...
> > >
> > >Can this be done?
> > >
> >
> > I'm jolly interested in what your business case is for this little
> > request. Someone may have a decent solution based on what you come
> > back with. You can't do it in Exchange and it's a complex thing to do
> > in AD.
> >
>
>
date: Tue, 4 Apr 2006 11:42:06 -0700
author: unknown
|
|
