Do the antivirus logs show the .eml file names? That would be the message ID. You could probably track by message ID and see where the message was delivered to.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Hackney Sent: Wednesday, March 31, 2004 7:38 AM To: Exchange Discussions Subject: looking for emails I arrived at work this morning to several email alerts from my exch server AV (CA Etrust InoculateIT v6 which is what picked up the virus - and I am not scanning the M: drive which doesn't exist of course ;-)) saying that I had viruses detected in some *.eml files. My ISP package includes Sophos mail scanning at their gateway (they then fwd all mail to us - in theory this means that all mail destined to us is scanned with them.) Normally this does an excellent job of preventing infected emails reaching us (through our exch server anyway) I tried to find the relevant files in the mailroot\vsi 1\queue but by then they must have been delivered. I'd like to know how I can go about looking for these offending mails as my ISP says that they stop password protected zip files and so on however I have had a couple of instances that seem to disprove this. They would like me to fwd the headers so they can investigate if they have a compromised server. What would be the best way to find these? Should I do an exmerge and search for particulars or is there a better way? Perhaps using an AD tool? You'll have to forgive me as I am a bit rusty on exch2k. Thanks for any help/ pointers. Rob This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. It should not be deemed to constitute a binding contract between TKC Group and the recipient(s) unless a purchase order number is quoted. Any views or opinions presented are solely those of the author and do not necessarily represent those of TKC Group Ltd. If you are not the intended recipient(s), please do not copy or disclose its contents. Please return it to: [EMAIL PROTECTED] then delete the email. intY has scanned this email for all known viruses (www.inty.com) _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
