They are copies delivered to that location because you asked for it by setting the Message Archival diagnostic logging setting. Set it back to None and they'll stop accruing. Delete the files at your leisure.
Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sanjeev Sharma Sent: Tuesday, December 23, 2003 4:49 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Ex 5.5, SP4. The Diagnostics Logging for Message Archival is set to Medium on the front end exchange server. When I look into the imcdata\In\Archive folder I see tons of email files with alpha-numeric name. I see in every minute there are about 4 to 5 emails. Are these messages have already been delivered? I try to open some of them and noticed some are legitimate messages and some are spam. My question is why the good messages get delivered to this location. I also see the same in imcdata\Out\Archive folder. Can I delete these messages without causing any harm to the application because? Please help me to understand this. Thanks. -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 3:10 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Yeah, I don't try to block everything, but I do occasionally block individual IPs that seem to be extra chatty. Doing it all is impossible. Some folks use one RBL or another on a gateway server, but that has its own drawbacks. Yes, the logs I'm talking about are the ones in imcdata\log. IIS SMTP logs are similar, but not exactly the same. In particular, IIS SMTP doesn't log the AUTH handshake. :( -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 5:00 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Yes, but for every single IP I block 10 more show up. It has more of a feel of a "hole" or a compd password especially when I come in AM and there are 24,000 ndr's in the que. Just to clarify are the logs you are talking about a few emails ago are in fact the logs from the imcdata/log folder yes? Can IIS smtp logs be expected to be in the same format? -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 3:09 PM To: Exchange Discussions Subject: RE: SMTP Logging options? The AUTH you posted below was just an advertisement from your server to the sending server saying that AUTH is supported. You didn't actually receive an AUTH from the sending server. You can see the IP that the messages are coming from - you can block any connections from that IP to reduce the traffic. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 3:36 PM To: Exchange Discussions Subject: RE: SMTP Logging options? I didn't take it as a slam :) I'll read those rfc's So those auth's should be there cause they are NDR's, Now I just need to find the entries for the real messages that are causing the ndr's and find out what user they are using. In the mean time and I am going to cut my timeouts down to nothing so the que's stop piling up and my users can get legit email through. I wish I had my entire work day to dedicate to just email, unfortunately some of us have to wear many hats. e- -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 2:08 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Answering myself here... This is one of those big reasons why I believe that everyone should be familiar with the SMTP RFCs (2821 and 2822). You have to know what you're looking at to understand how to diagnose issues that come up. If you're not willing to learn how to read the dipstick, you better be willing to pay a mechanic to check the oil for you every so often. This isn't meant to be a slam on Mr. Hansen, rather a handy example to all the readers of the value of some basic knowledge of how the things you are responsible for function. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Webb, Andy Sent: Tuesday, December 23, 2003 3:05 PM To: Exchange Discussions Subject: RE: SMTP Logging options? No, just advertising that AUTH LOGIN is available isn't the bad thing. There was not an authentication done in that transaction. That message was accepted, as messages from "postmaster" ought to be. What would be bad is if your server then tried to make an outbound connection to chaudhry.co.uk (assuming that's not one of your internal domains). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 2:47 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Ok I think I found a problem. The 250 auth in the middle 12/23/2003 12:42:33 PM : A connection to 81.21.68.106 was established. 12/23/2003 12:42:59 PM : <<< 220 www.redmode.com ESMTP 12/23/2003 12:42:59 PM : >>> EHLO postoffice02.aruplab.com 12/23/2003 12:42:59 PM : <<< 250-www.redmode.com 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN <----- ***ISNT THIS BAD??*** 250-PIPELINING 250 8BITMIME 12/23/2003 12:42:59 PM : >>> MAIL FROM:<> 12/23/2003 12:43:00 PM : <<< 250 ok 12/23/2003 12:43:00 PM : >>> RCPT TO:<[EMAIL PROTECTED]> 12/23/2003 12:43:00 PM : <<< 250 ok 12/23/2003 12:43:00 PM : >>> DATA 12/23/2003 12:43:00 PM : <<< 354 go ahead 12/23/2003 12:43:00 PM : <<< 250 ok 1072209192 qp 43075 12/23/2003 12:43:00 PM : >>> QUIT 12/23/2003 12:43:00 PM : <<< 221 www.redmode.com no username, no password, no admin. Isnt that a bad thing? E- -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 12:13 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Paying attention to differences between GMT time and local time, yes the times should coincide. If you haven't had the logging enabled, there won't be anything to look at in the past, it will be in the future. The way the conversation looks is this: Sending MTA ----------------------------- Receiving MTA <connect> -------> <-------- <banner> EHELO <me> ------> <-------- 250 OK <set of supported verbs> AUTH LOGON -------> <-------- VXNlcm5hbWU= YWRtaW5pc3RyYXRvcg== -------> <-------- UGFzc3dvcmQ= Zm9v --------> <-------- 250 OK MAIL FROM:<addr> -------> <-------- 250 OK RCPT TO:<addr> ---------> The base64 bits decode as follows: VXNlcm5hbWU= Username YWRtaW5pc3RyYXRvcg== administrator UGFzc3dvcmQ= Password Zm9v foo -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 12:41 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Ouch However the time stamps should coincide yes? And if its one or a few users that have been compd the garbage is fairly regular intervals, I would think it would show up. What about this base64 thing? I cant seem to find this encoded base 64 auth string to plug into that website. -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:33 AM To: Exchange Discussions Subject: RE: SMTP Logging options? Tracking logs are different. They're not really human readable and they don't let you know the auth information. If you have Logon Success auditing turned on, you should get events in the security event logs, but they're not limited to SMTP or indicated as SMTP, so they're tougher to diagnose than using the protocol logs as previously described. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:48 AM To: Exchange Discussions Subject: RE: SMTP Logging options? Well I'm totally lost I think. I found a tacking.log folder in root of exchsrvr. So for example in my ims ques ( which is relay secure) I have a ndr of spam, for destination in-f01.net and in the tracking log I see.. c=us;a= ;p=arup;l=POSTOFFICE020312221600190859 1018 2003.12.23 14:50:24 /o=ARUP/ou=ARUP01/cn=Configuration/cn=Connections/cn=Internet Mail Connector (POSTOFFICE02) /o=ARUP/ou=ARUP01/cn=Configuration/cn=Servers/cn=POSTOFFICE02/cn=Microso ft Private MDB <[EMAIL PROTECTED]> 0 8612 0 0 1 [EMAIL PROTECTED] Knowing that my system is relay secure I am leaning towards a compromised password. So I check the 2010 events but they don't correspond with the times that the spam is getting dumped on the server. I'm not sure how I can get the auth username that was used to submit these messages in the first place. Lost e- -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 10:36 AM To: Exchange Discussions Subject: RE: SMTP Logging options? For the record, :), SMTP Protocol Logging doesn't write to the App Event Log, rather it writes to file system files. Knowing how to read SMTP conversations in the protocol log is a "good thing". -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:32 AM To: Exchange Discussions Subject: RE: SMTP Logging options? For the record those are event 2010 -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 9:12 AM To: Exchange Discussions Subject: RE: SMTP Logging options? IMS Diagnostics Logging / SMTP Protocol Logging / Medium You'll need to look for the AUTH handshake. The handshake is done using base64 encoded strings. You can use http://www.securecode.net/Base64Convert+main.html to decode them. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 9:18 AM To: Exchange Discussions Subject: SMTP Logging options? Exch 5.5 sp4 In a scenario where a end users password has been compromised and is being used to drop spam crap on the internet mail service, what logging options can be used to identify the account that is authenticating? Also is there a way to tie a message id to a specific authenticated user? Much thanks & merry christmas e- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]