Some things that I do to help prepare for easy tracking of SMTP events in environments that I have worked in over the past few years:
-Enable SMTP Logging in W3C Extended Log File Format on a daily schedule. -Configure the SMTP logs to include the following: Date, Time, Client IP Address, User Name, Server IP Address, Method, URI Query -With Windows 2003 use the support tool called FORFILES in a script to compress the previous days logs and age any over 7 days old. With SMTP logging enabled on all Exchange servers it becomes much easier to troubleshoot things like this. For example, if you are looking for the source of one of these messages and you have the sending address, recipient address, or even better the message ID, you can parse that days SMTP log to see from what IP that message came from. In the past I have used this method to identify infected clients machines on networks that I supported so that their network port could be disabled until their machine was cleaned. There is one catch and that is that most AV products report the send\receiver of infected mail that is in the body of the message, not in the envelope, so in some cases it's difficult to track down an individual message if the envelope information does not match up with the body (the envelope would say RCPT TO:<[EMAIL PROTECTED]>, but the message body would say To: [EMAIL PROTECTED]). Since you said you have one of these messages then you have the message ID which means you can search the SMTP logs for this (if they are set up). What you could also do is use the message tracking tool in ESM as it has a field for message ID. You could get an idea where the message came from and where it went that way as well. Best regards, Steven > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Nathan Handley > Sent: Tuesday, November 22, 2005 11:01 AM > To: Exchange Discussions > Subject: RE: How to tell if email was sent from inside or > outside exchange > > The headers say it came from an outside domain but the > interesting thing is > they were sent to email addresses that don't exist. Example > - I got one > that was sent to [EMAIL PROTECTED] which is not my address. > So the header > I am not that confident with. > > This just started this AM is it just us or is this maybe a > widespread issue? > > Nathan Handley > -=-=-=-=-=-=-=-=-=-=-=- > [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Larry > Wahlers > Sent: Tuesday, November 22, 2005 9:25 AM > To: Exchange Discussions > Subject: RE: How to tell if email was sent from inside or > outside exchange > > > So how can you determine if the message originated inside or > > outside. > > Easiest way I know of is to get one of the email messages and look at > the headers. Not bullet-proof, but it's a good start, and you might > actually nail it down with just that. > > -- > Larry Wahlers > Concordia Technologies > The Lutheran Church - Missouri Synod > mailto:[EMAIL PROTECTED] > direct office line: (314) 996-1876 > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange > To subscribe: http://e-newsletters.internet.com/discussionlists.html/ > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
