Re: Checking Outbound Exchange Email
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Fri, 26 Sep 2008 19:54:03 +0100
Richard K wrote:
I'm just a little confused. I have used the Message Tracking Center in E2K3 but the only thing I see are INBOUND messages. How can I look to see OUTBOUND traffic?
The reason being is I have a client computer generating what possibly could be spam mail and I want to identify which computer is generating so many email messages.
Difficult to say, the MTC should show all inbound and outbound messages. Of course, not all mail needs to go through Exchange, and spam is generally sent using a fairly basic SMTP engine installed by whatever malware is responsible. If Exchange is being used, the MTC should show the messages, and for more detail, you can enable full SMTP logging*. I've always recommended that anyone running an Internet-connected mail server should enable this and keep at least a week's worth of logs. Email is still one of the more troublesome aspects of IT (along with printing) and you need all the help you can get.
First of all, how do you know spam is being sent if you can't see it happening? Where are you seeing these messages and why can't you tell from them which is the offending machine? If you're just getting reports from other people, be aware that they may not know where their spam is actually coming from, and it may be nothing at all to do with your network.
Next, what is the network topology, are you using one NIC or two in the SBS? If two, SBS has Network Monitor, which can inspect all traffic on its interfaces. If one, then only the offending client and the router are likely to be able to see the traffic. We can assume that the level of spam is not high, or the client's NIC lights and/or its port on the network switch would be showing a high level of activity.
The Windows Firewall can be set to log (a domain policy) and again I'd recommend enabling this on the clients. Outlook uses MAPI to connect to Exchange, so any packets sent to port 25 from a client are likely to be a sign of malware.
My other usual recommendation is to enable logging on your Internet router, if it can do that, and to look for the feature in future purchases if it can't. There's no substitute for an independent and fairly incorruptible witness to packets entering and leaving your network. With a single-NIC SBS, the router can normally be configured to block outgoing mail from everywhere except the SBS, preventing this particular problem and warning you of a client infection at the same time. A cheap firewall-router with logging capability, connected between the Internet router and the rest of the network if the main router can't do logging, can easily save its cost in the time needed to troubleshoot even one problem.
* This is done in the Exchange Manager, in
Servers-><your server>->Protocols->SMTP->Default SMTP Virtual Server and then properties. On the General tab, tick Enable logging, click Properties, note the file location, then on the Advanced tab, tick everything and OK it all.
--
Joe
.
- References:
- Checking Outbound Exchange Email
- From: Richard K
- Checking Outbound Exchange Email
- Prev by Date: Need to rip out RWW + OWA from SBS 2003 Install
- Next by Date: Re: SBS 2008 Server - it has some nigglys... make sure you review or you could become stuck
- Previous by thread: Re: Checking Outbound Exchange Email
- Next by thread: Need to rip out RWW + OWA from SBS 2003 Install
- Index(es):
Relevant Pages
|
