Exchange 2007 Message tracking - find the source machine.
Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
In the message tracking, what is the source of the first RECEIVE event for this message? Is it STOREDRIVER or SMTP? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
Wouldn't it be in the header of the email when it was received ? CFee From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 9:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
Storedriver And the mail in the message header only shows our external IP address as is expected. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: 29 September 2010 15:21 To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message tracking - find the source machine. In the message tracking, what is the source of the first RECEIVE event for this message? Is it STOREDRIVER or SMTP? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
RE: Exchange 2007 Message tracking - find the source machine.
If it says Storedriver, then it was sent from his mailbox on the Exchange server. The mailbox server's tracking logs don't record the receive events, so unless you had mailbox auditing enabled I don't think there's any way determine what the client source was. Have you checked the dumpster to see if it's there? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 9:55 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message tracking - find the source machine. Storedriver And the mail in the message header only shows our external IP address as is expected. From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: 29 September 2010 15:21 To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message tracking - find the source machine. In the message tracking, what is the source of the first RECEIVE event for this message? Is it STOREDRIVER or SMTP? From: Fergal O'Connell [mailto:foconn...@curamsoftware.com] Sent: Wednesday, September 29, 2010 8:38 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message tracking - find the source machine. Hi, We have a user who said that an email was sent from his account to another external user. The email looks to be some sort of virus however it's only 1 email. The user claims he never sent the email- however there is not nothing in his sent items. Using message tracking I can see the email that was sent. Is there a way to find out what PC this email was sent from? I need to gather more information about how and why this email was sent from this account? Exchange 2007 Sp1 relaying email through an Ironport device. Regards Fergal O'Connell The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you are not the intended addressee please contact the sender and dispose of this e-mail. Thank you. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist
Exchange 2007 Message Tracking
I have an email coming from a vendor that is reaching our Edge Transport Server. However, I'm not sure what happens to it after that. When I check Message Tracking, I do have a RECEIVE EventID, but there is no SENT EventID. Checking the logs, I do see an ,,AGENT,FAIL, [EMAIL PROTECTED], [EMAIL PROTECTED];,[EMAIL PROTECTED],1,Content Filter Agent,OnEndOfData,AcceptMessage,,SCL,0, [EMAIL PROTECTED],5328482,1,,,FW: 2009 Benefit Enrollment, [EMAIL PROTECTED], [EMAIL PROTECTED],00A: 2008-11-13T01:45:34.250Z,,Edge Transport Server,,,FSE Routing Agent,,AGENT,FAIL,1724393,,[EMAIL PROTECTED],,0,1, [EMAIL PROTECTED], [EMAIL PROTECTED],,4260156,1,,,FW: 2009 Benefit Enrollment, [EMAIL PROTECTED], [EMAIL PROTECTED],00A: 2008-11-13T13:58:25.593Z,97.65.38.110,,Edge transport Server,08CB125E4B474167;2008-11-13T13:58:09.781Z;0,Edge Transport Server\Default internal receive connector 2008-11-13T13:58:28.625Z,,Edge Transport Server,,,FSE Routing Agent,,AGENT,FAIL,1726631,,[EMAIL PROTECTED],,0,1, [EMAIL PROTECTED], 2008-11-13T13:58:32.484Z,198.234.129.7,,Edge Transport Server,08CB125E4B47416A;2008-11-13T13:58:14.468Z;0,Edge Transport Server\Default internal receive connector Does anybody have any idea where this email may have gone? Thanks. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Exchange 2007 message tracking
My earlier utilities depended on something called the ExIFS Driver that was present in Exchange 2000 and Exchange 2003. It is not part of Exchange 2007 and the capabilities that it provided take a LOT more work in Exchange 2007. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Greg Mulholland [mailto:[EMAIL PROTECTED] Sent: Thursday, May 29, 2008 12:41 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 message tracking Is there any tool which will actually integrate with exchange 2007 message tracking. After being able to find a message in the logs i would like to be able to open it and read it. MBS had an xml script for 2k3 but i am not aware that it was updated for 2007. If anyone has anything I'd be interested to check it out. Greg ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Exchange 2007 message tracking
Is there any tool which will actually integrate with exchange 2007 message tracking. After being able to find a message in the logs i would like to be able to open it and read it. MBS had an xml script for 2k3 but i am not aware that it was updated for 2007. If anyone has anything I'd be interested to check it out. Greg ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Re: Anyone know of a technical reference for the Exchange 2007 Message Tracking Logs?
I don't have the book in front of me to verify but I think Tony Redmond's Ex 2007 book may have what you are looking for. Webster (in very windy Baltimore) - Original Message From: Campbell, Rob [EMAIL PROTECTED] Subject: Anyone know of a technical reference for the Exchange 2007 Message Tracking Logs? I’m looking for detailed descriptions of the fields and content format. ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
Anyone know of a technical reference for the Exchange 2007 Message Tracking Logs?
I'm looking for detailed descriptions of the fields and content format. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Anyone know of a technical reference for the Exchange 2007 Message Tracking Logs?
This isn't too bad: http://technet.microsoft.com/en-us/library/bb124375(EXCHG.80).aspx From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 30, 2008 9:29 AM To: MS-Exchange Admin Issues Subject: Anyone know of a technical reference for the Exchange 2007 Message Tracking Logs? I'm looking for detailed descriptions of the fields and content format. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Exchange 2007 Message Tracking strangeness
Yeah, it sucks. In several ways. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 4:36 PM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message Tracking strangeness Fire up the Message Tracking in Exchange 2007, and sort the results by the Total Bytes column. It sorts it as a string, rather than an integer. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Exchange 2007 Message Tracking strangeness
Is that the same datagridview they're using in the Powershell V2 CTP? From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 3:49 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message Tracking strangeness Yeah, it sucks. In several ways. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 4:36 PM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message Tracking strangeness Fire up the Message Tracking in Exchange 2007, and sort the results by the Total Bytes column. It sorts it as a string, rather than an integer. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~
RE: Exchange 2007 Message Tracking strangeness
The data in the logs is great. If you are PS savvy, you can get great data. It's just the GUI that leaves so much to be desired. And yes, I think it's the same DGV. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 5:06 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message Tracking strangeness Is that the same datagridview they're using in the Powershell V2 CTP? _ From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 3:49 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 Message Tracking strangeness Yeah, it sucks. In several ways. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com From: Campbell, Rob [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 4:36 PM To: MS-Exchange Admin Issues Subject: Exchange 2007 Message Tracking strangeness Fire up the Message Tracking in Exchange 2007, and sort the results by the Total Bytes column. It sorts it as a string, rather than an integer. ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja~