RE: [ActiveDir] Capture incoming e-mail address

[Puckett, Richard]

Title: Message

Well, I'm not so sure about the complexity of the suggestion.  I generally believe that kind of valuation statement can only be made after understanding the full compliment of what needs to be done and how robust, redundant and intelligent the process needs to be.  To each his own... :-)   But you're recommendation reminded me of something I did recently while poking around the WMI's Exchange_MessageTrackingEntry class (found in Exchange 2000 SP2).  Tom, below is a proof-of-concept script that should alllow you to search the message tracking logs for recorded traffic.  It's actually pretty useful, and could possibly be adopted to suit your needs.  The example uses a WQL query to return a all of the class's properties, but you could modify it to return all messages recorded within a day (or more) and collect just the Sender and/or Recipent addresses for insertion into a DB.   More information on the WMI classes for Exchange:   WMI for Exchange 2000 http://msdn.microsoft.com/library/default.asp?url="/library/en-us/wss/wss/_wmiref_exch2k.asp   Exchange_MessageTrackingEntry Class (also contains a .VBS example similar to the one below in Perl) http://msdn.microsoft.com/library/default.asp?url="/library/en-us/wss/wss/_wmiref_cl_Exchange_MessageTrackingentry.asp   Querying with WQL http://msdn.microsoft.com/library/default.asp?url="/library/en-us/wmisdk/wmi/querying_with_wql.asp   Hope this helps, Richard     #_________________________________________________________________________ # # MSGTRACK.PL - message tracking search script #   This script is designed to utilize WMI's Exchange_MessageTrackingEntry class #   (found in Exchange 2000 SP2) to search the Message Tracking logs for specific #   criteria defined in the WQL query. # # DISCLAIMER: #  You have a royalty-free right to use, modify, reproduce and distribute this code #  (and/or any modified version) in any way you find useful, with the agreement #  that Richard Puckett provide no warranty, obligations or liability for this code. #  If you reuse or modify this code, you must retain this copyright notice. # #                       copyright (C) 2002 Richard Puckett #_________________________________________________________________________ # pragmas use strict;   # modules #use Win32::OLE; use Win32::OLE qw(in with); use Win32::OLE::Enum; #use Win32::OLE::Const 'Active DS Type Library'; $Win32::OLE::Warn = 3;   # temporary values my $tempval = ""; my $x = "";   # credentials and target server my $computer = "servername here"; my $userid =   "domainname\\userid"; my $passwd =   "password here"; my $class =    "Exchange_MessageTrackingEntry";   # one day back my $dmtftime = "20021021062255.570000-240"; #my $strQuery = "SELECT LocalDateTime FROM Win32_OperatingSystem";   my %MSGHASH = (  '0'=>'Message received through X400',  '1'=>'Not Used',  '2'=>'Report received',  '4'=>'Message submitted',  '5'=>'Not Used',  '6'=>'Not Used',  '7'=>'Message transferred out',  '8'=>'Report transferred out',  '9'=>'Message delivered',  '10'=>'Report delivered',  '18'=>'Not Used',  '23'=>'Not Used',  '26'=>'Distribution list expanded',  '28'=>'Message redirected',  '29'=>'Message rerouted',  '31'=>'Server downgraded by MTA',  '33'=>'Report absorbed',  '34'=>'Report generated',  '43'=>'Unroutable report discarded',  '50'=>'Message deleted by Administrator',  '51'=>'Probe deleted by Administrator',  '52'=>'Report deleted by Administrator',  '1000'=>'Message delivered locally',  '1001'=>'Message transferred in over backbone',  '1002'=>'Message transferred out over backbone',  '1003'=>'Message transferred out over gateway',  '1004'=>'Message transferred in over gateway',  '1005'=>'Report transferred in over gateway',  '1006'=>'Report transferred out over gateway',  '1007'=>'Report generated',  '1010'=>'SMTP: Message queued outbound',  '1011'=>'SMTP: Message transferred out',  '1012'=>'SMTP: Inbound message received',  '1013'=>'SMTP: Inbound message transferred',  '1014'=>'SMTP: Message rerouted',  '1015'=>'SMTP: Report transferred in',  '1016'=>'SMTP: Report transferred out',  '1017'=>'SMTP: Report generated',  '1018'=>'SMTP: Report absorbed',  '1019'=>'SMTP: Message submitted to Advanced Queuing',  '1020'=>'SMTP: Started outbound transfer of message',  '1021'=>'SMTP: Message sent to badmail directory',  '1022'=>'SMTP: Advanced Queue failure',  '1023'=>'SMTP: Message delivered locally',  '1024'=>'SMTP: Message submitted to Categorizer',  '1025'=>'SMTP: Started message submission to Advanced Queue',  '1026'=>'SMTP: Advanced Queue failed to deliver message',  '1027'=>'SMTP Store Driver: Message submitted from Store',  '1028'=>'SMTP Store Driver: Message delivered locally to Store',  '1029'=>'SMTP Store Driver: Message submitted to MTA',  '1030'=>'SMTP: Non-delivery report (NDR) generated',  '1031'=>'SMTP: Message transferred out', );   # retrieve DMTF local time #my $Wmi = Win32::OLE->GetObject("winmgmts:"); #my $wmitime = $Wmi->ExecQuery($strQuery);   #foreach my $dmtf(in $wmitime) { #  my $dtime = $dmtf->{'LocalDateTime'}; #  print $dtime."\n"; #}   my $objLocator = Win32::OLE->new('WbemScripting.SWbemLocator')    || die "unable to access the WBEM provider: ", Win32::OLE->LastError;   my $objSWbemServices = $objLocator->ConnectServer($computer, "root/MicrosoftExchangeV2", $userid, $passwd)    || die "unable to access the WBEM provider on $computer: ", Win32::OLE->LastError;   $objSWbemServices->Security_->{ImpersonationLevel} = 3; $objSWbemServices->Security_->{AuthenticationLevel} = 2;   my $objInstance = $objSWbemServices->Get($class)    || die "unable to access the WBEM $class class: ", Win32::OLE->LastError;   my $WQL = "SELECT * FROM $class WHERE TimeLogged > '$dmtftime'";   # other example options are.... # WHERE SenderAddress = 'userid\@mycompany.com' # WHERE TimeLogged > '$dmtftime' # AND ClientIP = '111.111.111.111' # AND EntryType = '1031'   my $colInstances = $objSWbemServices->ExecQuery( $WQL, "WQL"); print "\nenumerating the $class class...\n\n"; foreach my $linkval (in ($colInstances)) {  $x++;  print " MESSAGE $x...\n";  print "-" x 100; print "\n";    $tempval = ($linkval->{'KeyID'} || undef) ? $linkval->{'KeyID'} : "<undefined>";  print " KeyID:                     ".$tempval."\n";   $tempval = ($linkval->{'AttemptedPartnerServer'} || undef) ? $linkval->{'AttemptedPartnerServer'} : "<undefined>";  print " AttemptedPartnerServer:    ".$tempval."\n";  $tempval = ($linkval->{'ClientIP'} || undef) ? $linkval->{'ClientIP'} : "<undefined>";  print " ClientIP:                  ".$tempval."\n";  $tempval = ($linkval->{'ClientName'} || undef) ? $linkval->{'ClientName'} : "<undefined>";  print " ClientName:                ".$tempval."\n";  $tempval = ($linkval->{'Cost'} || undef) ? $linkval->{'Cost'} : "<undefined>";  print " Cost:                      ".$tempval."\n";  $tempval = ($linkval->{'DeliveryTime'} || undef) ? $linkval->{'DeliveryTime'}." seconds" : "<undefined>";  print " DeliveryTime:              ".$tempval."\n";  $tempval = ($linkval->{'Encrypted'} || undef) ? $linkval->{'Encrypted'} : "<undefined>";  print " Encrypted:                 ".$tempval."\n";    if ($linkval->{'EntryType'} || undef) {   $tempval = $linkval->{'EntryType'};   if (exists($MSGHASH{$tempval})) {    print " EntryType:                 ".$MSGHASH{$tempval}." (".$tempval.")\n";   } else {    $tempval = "<undefined>";     print " EntryType:                 ".$tempval."\n";   }  }    $tempval = ($linkval->{'ExpansionDL'} || undef) ? $linkval->{'ExpansionDL'} : "<undefined>";  print " ExpansionDL:               ".$tempval."\n";  $tempval = ($linkval->{'LinkedMessageID'} || undef) ? $linkval->{'LinkedMessageID'} : "<undefined>";  print " LinkedMessageID:           ".$tempval."\n";  $tempval = ($linkval->{'MessageID'} || undef) ? $linkval->{'MessageID'} : "<undefined>";  print " MessageID:                 ".$tempval."\n";  $tempval = ($linkval->{'OriginationTime'} || undef) ? $linkval->{'OriginationTime'}." UTC" : "<undefined>";  print " OriginationTime:           ".$tempval."\n";  $tempval = ($linkval->{'PartnerServer'} || undef) ? $linkval->{'PartnerServer'} : "<undefined>";  print " PartnerServer:             ".$tempval."\n";  $tempval = ($linkval->{'Priority'} || undef) ? $linkval->{'Priority'} : "<undefined>";  print " Priority:                  ".$tempval."\n";    if ($linkval->{'RecipientAddress'} || undef) {   foreach my $mailid (@{$linkval->{'RecipientAddress'}}) {    #$x++;    print " RecipientAddress:          ".$mailid."\n";   }    }    $tempval = ($linkval->{'RecipientCount'} || undef) ? $linkval->{'RecipientCount'} : "<undefined>";  print " RecipientCount:            ".$tempval."\n";    if ($linkval->{'RecipientStatus'} || undef) {   foreach my $mailstat (@{$linkval->{'RecipientStatus'}}) {    #$x++;    print " RecipientStatus:           ".$mailstat."\n";   }    }     $tempval = ($linkval->{'SenderAddress'} || undef) ? $linkval->{'SenderAddress'} : "<undefined>";  print " SenderAddress:             ".$tempval."\n";  $tempval = ($linkval->{'ServerIP'} || undef) ? $linkval->{'ServerIP'} : "<undefined>";  print " ServerIP:                  ".$tempval."\n";  $tempval = ($linkval->{'ServerName'} || undef) ? $linkval->{'ServerName'} : "<undefined>";  print " ServerName:                ".$tempval."\n";  $tempval = ($linkval->{'Size'} || undef) ? $linkval->{'Size'}." bytes" : "<undefined>";  print " Size:                      ".$tempval."\n";  $tempval = ($linkval->{'Subject'} || undef) ? $linkval->{'Subject'} : "<undefined>";  print " Subject:                   ".$tempval."\n";  $tempval = ($linkval->{'SubjectID'} || undef) ? $linkval->{'SubjectID'} : "<undefined>";  print " SubjectID:                 ".$tempval."\n";  $tempval = ($linkval->{'TimeLogged'} || undef) ? $linkval->{'TimeLogged'}." UTC" : "<undefined>";  print " TimeLogged:                ".$tempval."\n";  $tempval = ($linkval->{'Version'} || undef) ? $linkval->{'Version'} : "<undefined>";  print " Version:                   ".$tempval."\n\n";  print "-" x 100; print "\n"; }   print "\ndone! $x messages retrieved... \n\n";             -----Original Message----- From: Ken Cornetet [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 22, 2002 5:43 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Capture incoming e-mail address Far too complicated....   Have a look at your IMS servers'  XXX.log (where XXX is the server name for E2K servers, "tracking" for E5.5) shares. There is one log file per day in that directory.   Root around Microsoft's KB. The structure of the records are documented in a couple of Q articles.   I've got some perl code that does some analysis on Exchange 5.5 logs if you are interested. -----Original Message----- From: Puckett, Richard [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 22, 2002 4:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Capture incoming e-mail address Tom,   Not sure of any products, but programmatically there are a number of different ways you might do this.  If the server is using Exchange 2000, you could implement an SMTP Transport Event Sink on the backend Mailbox Server (or SMTP Bridgehead), possibly using the ISMTPOnArrival (OnArrival) or the OnSubmission Interfaces to capture all inbound SMTP transactions.  The major difference between these two event types is that OnSubmission can be configured to run asynchronously (which would help to alleviate load and message hangs) and that OnArrival is synchronous (making it a potential resource and performance problem).    In both cases, Transport Event Sinks allow you to: forward all mail for a domain to a mailbox, add a disclaimer to the end of each message that leaves your network, scan all incoming mail from the Internet for keywords, subjects, and attachment filenames, check for viruses, check for spam.  In your particular case a Transport Event Sink could potentially be used to open inbound SMTP messages and retrieve the sender's e-mail address(es), writing them to a flat file or DB.  You'd have to cautious of resource utilization and synchronous calls     Check out the following articles on MSDN:   Microsoft Windows 2000 SMTP Service Events http://msdn.microsoft.com/library/default.asp?url="/library/en-us/dnsmtps/html/transportevents.asp   Implementing Sinks with Scripting Languages http://msdn.microsoft.com/library/default.asp?url="/library/en-us/cdosys/html/_cdosys_implementing_smtp_event_sinks.asp   ISMTPOnArrival Interface http://msdn.microsoft.com/library/default.asp?url="/library/en-us/cdosys/html/_cdosys_ismtponarrival_interface.asp   SMTP/NNTP Transport Event Sinks with CDO http://msdn.microsoft.com/library/default.asp?url="/library/en-us/cdosys/html/_cdosys_smtp_nntp_transport_event_sinks_with_cdo.asp   smtpreg.vbs Event Management Script http://msdn.microsoft.com/library/default.asp?url="/library/en-us/smtpevt/html/_smtpevt_smtpreg_vbs_event_management_script.asp   Hope this helps, Richard     -----Original Message----- From: Tom Verde [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 22, 2002 3:45 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Capture incoming e-mail address Hi all,    I am new to this group and have a quick question that I hope someone can help me with.    One of our customers needs to find a utility/product that can capture all incoming e-mail addresses on their exchange server and put them in a database of somesort to have a record of who e-mailed the company.    Are there any links/products/procedures etc. that can accomplish this? Thanks in advance. Tom