Re: Track down external email

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thank you very much, your information has been very helpful.

How do I check the header of the email? Can you think of any other way to
possible track this person down who sent the email without the logging?

Thanks,
Phil

"Bharat Suneja [MVP]" wrote:

correction - the option for using local dates/times is for log file names
and rolling over logs. the timestamps in logs still use UTC.

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"Bharat Suneja [MVP]" <bharatsuneja@xxxxxxxxxxx> wrote in message
news:OQFSjzb4GHA.3600@xxxxxxxxxxxxxxxxxxxxxxx
- Turn on SMTP logging from SMTP virtual server properties.
- I use W3C Extended Log File format.
- By default logs are saved in %systemroot%\System32\LogFiles\SMTPSvc<1>\
(where <1> is the smtp virtual server instance number.
- The W3C format lets you choose fields that you want to log by going to
Properties | Advanced.
- The default selection of fields logs minimum amount of data - including
date, time, cs-method (SMTP commands like HELO, DATA, etc.) and sc-status
(SMTP response codes like 220, 250, 500, etc.).

Here are the fields I would select:

- Date
- Time
- c-ip (Client IP Address)
- cs-username (User Name) - the fqdn provided by sending server on HELO
- s-sitename - SMTP virtual server instance name (e.g. SMTPSVC2)
- s-computername - (Server Name) - name of server, useful if aggregating
logs from multiple servers into a monitoring/logging database
- s-ip - Server IP Address - useful if server has multiple IP addresses
- s-port (Server Port) - always logs as 0 afaik, even if SMTP vs is
running on a port other than 25
- cs-method (Method) - SMTP command e.g. HELO, MAIL, RCPT, DATA, QUIT
- cs-uri-query (URI Query) - command parameter (like +from:foo@xxxxxxx -
gets the from, to addresses, sending server fqdn given at HELO, and
Message ID. Nothing between DATA and End of Data sequence is logged)
- sc-status (Protocol Status) - SMTP protocol response like 220, 250, 500,
et al
- sc-win32-status (Win32 Status): a numerical value
- sc-bytes (Bytes Sent): ***if you really need this info - handy at times
for troubleshooting***
- cs-bytes (Bytes Received): ***if you really need this info - handy at
times for troubleshooting***
- time-taken (Time Taken): ****if you really need this - numerical
value***
- cs-version (Protocol Version): SMTP

Depending on volume of traffic, it's a good idea to roll over the log
daily - in low-volume environments this can also be done weekly or even
monthly, or when a log file reaches a certain size, (or never - unlimited
size - not recommended).

There's an option to use local time for logs, but it doesn't work for
smtpsvc, afaik.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DD0199AC-5314-4536-AE07-636F4785BEF6@xxxxxxxxxxxxxxxx
Not sure exactly how to check header of email, do I need to add the CEO's
mailbox to my outlook to be able to do this?

Also I do not have logging on for my SMTP virtual server. What are best
settings for logging from here on out?

Thanks,
Phil


"Bharat Suneja [MVP]" wrote:

IE history most likely won't reveal this.

Check the message header and the SMTP log to figure out which IP address
the
message originated from and whether it did in fact originate from Yahoo.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7964BA7C-F026-45BF-9B5D-8268933A4E36@xxxxxxxxxxxxxxxx
I am trying to track down an email sent from a yahoo account to the
CEO. I
have the yahoo email address but am not sure how or if I can track it
down.
It may have been sent from one of our internal computers as it was
sent at
10:00am on Monday. I am searching IE history, we have Firefox as well
and
I
do not know where it stores its history though. Thanks in advance.








.

Relevant Pages

  • Re: Track down external email
    ... The header only shows who the email was from and who it went to. ... MVP - Exchange ... the timestamps in logs still use UTC. ... Also I do not have logging on for my SMTP virtual server. ...
    (microsoft.public.exchange.admin)
  • RE: Shared Fax:Client dont send,server does
    ... you can easily find from logs when started the issue. ... > SMTP virtual server "Connection control" settings. ... > To access the Microsoft Shared Fax Service: ... Restart the server and check if the issue still appears. ...
    (microsoft.public.windows.server.sbs)
  • Re: Track down external email
    ... mailbox - you can request the person to let you copy the header if possible. ... How do I check the header of the email? ... the timestamps in logs still use UTC. ... Also I do not have logging on for my SMTP virtual server. ...
    (microsoft.public.exchange.admin)
  • Re: NDR havent sent
    ... I have checked the queues and cannot see any item/message. ... the smtp virtual server logs only very little informations (attached ... > NDR and see if it goes back out through the SMTP queues and back to your ...
    (microsoft.public.exchange2000.admin)
  • Re: where to find log info?
    ... Found the settings. ... down to protocols, Default SMTP Virtual Server. ... Send an email to the domain again and view your logs to ... your Delivery tab and clicking outbound connections. ...
    (microsoft.public.exchange.admin)