Tracking logs are different. They're not really human readable and they don't let you know the auth information.
If you have Logon Success auditing turned on, you should get events in the security event logs, but they're not limited to SMTP or indicated as SMTP, so they're tougher to diagnose than using the protocol logs as previously described. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:48 AM To: Exchange Discussions Subject: RE: SMTP Logging options? Well I'm totally lost I think. I found a tacking.log folder in root of exchsrvr. So for example in my ims ques ( which is relay secure) I have a ndr of spam, for destination in-f01.net and in the tracking log I see.. c=us;a= ;p=arup;l=POSTOFFICE020312221600190859 1018 2003.12.23 14:50:24 /o=ARUP/ou=ARUP01/cn=Configuration/cn=Connections/cn=Internet Mail Connector (POSTOFFICE02) /o=ARUP/ou=ARUP01/cn=Configuration/cn=Servers/cn=POSTOFFICE02/cn=Microso ft Private MDB <[EMAIL PROTECTED]> 0 8612 0 0 1 [EMAIL PROTECTED] Knowing that my system is relay secure I am leaning towards a compromised password. So I check the 2010 events but they don't correspond with the times that the spam is getting dumped on the server. I'm not sure how I can get the auth username that was used to submit these messages in the first place. Lost e- -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 10:36 AM To: Exchange Discussions Subject: RE: SMTP Logging options? For the record, :), SMTP Protocol Logging doesn't write to the App Event Log, rather it writes to file system files. Knowing how to read SMTP conversations in the protocol log is a "good thing". -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:32 AM To: Exchange Discussions Subject: RE: SMTP Logging options? For the record those are event 2010 -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 9:12 AM To: Exchange Discussions Subject: RE: SMTP Logging options? IMS Diagnostics Logging / SMTP Protocol Logging / Medium You'll need to look for the AUTH handshake. The handshake is done using base64 encoded strings. You can use http://www.securecode.net/Base64Convert+main.html to decode them. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 9:18 AM To: Exchange Discussions Subject: SMTP Logging options? Exch 5.5 sp4 In a scenario where a end users password has been compromised and is being used to drop spam crap on the internet mail service, what logging options can be used to identify the account that is authenticating? Also is there a way to tie a message id to a specific authenticated user? Much thanks & merry christmas e- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
