Re: Track down external email

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

correction - the option for using local dates/times is for log file names
and rolling over logs. the timestamps in logs still use UTC.

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"Bharat Suneja [MVP]" <bharatsuneja@xxxxxxxxxxx> wrote in message
news:OQFSjzb4GHA.3600@xxxxxxxxxxxxxxxxxxxxxxx
- Turn on SMTP logging from SMTP virtual server properties.
- I use W3C Extended Log File format.
- By default logs are saved in %systemroot%\System32\LogFiles\SMTPSvc<1>\
(where <1> is the smtp virtual server instance number.
- The W3C format lets you choose fields that you want to log by going to
Properties | Advanced.
- The default selection of fields logs minimum amount of data - including
date, time, cs-method (SMTP commands like HELO, DATA, etc.) and sc-status
(SMTP response codes like 220, 250, 500, etc.).

Here are the fields I would select:

- Date
- Time
- c-ip (Client IP Address)
- cs-username (User Name) - the fqdn provided by sending server on HELO
- s-sitename - SMTP virtual server instance name (e.g. SMTPSVC2)
- s-computername - (Server Name) - name of server, useful if aggregating
logs from multiple servers into a monitoring/logging database
- s-ip - Server IP Address - useful if server has multiple IP addresses
- s-port (Server Port) - always logs as 0 afaik, even if SMTP vs is
running on a port other than 25
- cs-method (Method) - SMTP command e.g. HELO, MAIL, RCPT, DATA, QUIT
- cs-uri-query (URI Query) - command parameter (like +from:foo@xxxxxxx -
gets the from, to addresses, sending server fqdn given at HELO, and
Message ID. Nothing between DATA and End of Data sequence is logged)
- sc-status (Protocol Status) - SMTP protocol response like 220, 250, 500,
et al
- sc-win32-status (Win32 Status): a numerical value
- sc-bytes (Bytes Sent): ***if you really need this info - handy at times
for troubleshooting***
- cs-bytes (Bytes Received): ***if you really need this info - handy at
times for troubleshooting***
- time-taken (Time Taken): ****if you really need this - numerical
value***
- cs-version (Protocol Version): SMTP

Depending on volume of traffic, it's a good idea to roll over the log
daily - in low-volume environments this can also be done weekly or even
monthly, or when a log file reaches a certain size, (or never - unlimited
size - not recommended).

There's an option to use local time for logs, but it doesn't work for
smtpsvc, afaik.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DD0199AC-5314-4536-AE07-636F4785BEF6@xxxxxxxxxxxxxxxx
Not sure exactly how to check header of email, do I need to add the CEO's
mailbox to my outlook to be able to do this?

Also I do not have logging on for my SMTP virtual server. What are best
settings for logging from here on out?

Thanks,
Phil


"Bharat Suneja [MVP]" wrote:

IE history most likely won't reveal this.

Check the message header and the SMTP log to figure out which IP address
the
message originated from and whether it did in fact originate from Yahoo.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7964BA7C-F026-45BF-9B5D-8268933A4E36@xxxxxxxxxxxxxxxx
I am trying to track down an email sent from a yahoo account to the
CEO. I
have the yahoo email address but am not sure how or if I can track it
down.
It may have been sent from one of our internal computers as it was
sent at
10:00am on Monday. I am searching IE history, we have Firefox as well
and
I
do not know where it stores its history though. Thanks in advance.







.

Relevant Pages

  • Re: Change size of Log files in Ex 2003 SP2 - E00*** files
    ... That's interesting - this was fixed in Exchange Server 2003 SP1, ... the transaction log file size cannot be changed. ... Bharat Suneja ... MVP - Exchange ...
    (microsoft.public.exchange.admin)
  • Re: E-mail not delivered, Event ID 2028
    ... Right click on "Default SMTP Virtual Server" and click Properties. ... On the General tab, please check the option "Enable logging". ... Select W3C Extended Log File Format from the list below. ... Microsoft Online Partner Support ...
    (microsoft.public.exchange.admin)
  • Re: smtp smarthost on edge
    ... Bharat Suneja ... MVP - Exchange ... i got edge subscriptions with the edge server in there. ...
    (microsoft.public.exchange.admin)
  • RE: Mail being blocked by spamcop.net
    ... So I suggest you enable the SMTP logging and then send me the log file to ... Stop and restart the SMTP virtual server. ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were ... by entering the secure code mmpng06 when prompted. ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange 2007 SP1 - SCR vs CCR
    ... Bharat Suneja ... MVP - Exchangewww.zenprise.com ... NEW blog location: ... MVP - Exchange ...
    (microsoft.public.exchange.design)