Looking for suspicious mail
Some users are reporting getting mail sent from them to them. If I use the following command can I modify the recipients to reflect the same end user. Something like this;
Get-MessageTrackingLog -Servermailexchange -ResultSize Unlimited -Start "1/25/2009 8:00AM" -End "1/25/2009 5:00PM" | where{$_.recipients -like "self"} | export-csv c:\exchangereports\report.csvOr would it be easier to search based on the message subject?Thanks,D
March 5th, 2009 7:15pm
Hi D,You need to use sender and recipient both switches or it is easy to search with subject line.Get-MessageTrackingLog -Servermailexchange -ResultSize Unlimited -Recipients "user@domain.com" -Sender "user@domain.com"-Start "1/25/2009 8:00AM" -End "1/25/2009 5:00PM"Message header of this kind of spam email, shows more information comapre to message tracking.Looks like user is getting spam, are you using any spam preventing machenisam in your environment? Check below article...HOW TO: Prevent annoying spam from your own domainhttp://exchangepedia.com/blog/2008/09/how-to-prevent-annoying-spam-from-your.htmlAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2009 7:59pm
Amit,We do have spam preventing mechanisms in place (Ironport). I guess my real question is how do I find out if more people received this type of spam? I know of two users but the subject line differs with both emails. I do have the headers from one of the emails (the other was deleted). Thanks,D
March 5th, 2009 10:29pm
Hello,Eventhough check the link which I provided, to prevent from the spam which have email addresses of your own domain.Did you try something similar to below, find messages which have recipient same as sender...Get-MessageTrackingLog -Servermailexchange -ResultSize Unlimited -Start "1/25/2009 8:00AM" -End "1/25/2009 5:00PM" | where{$_.recipients -eq $_.sender}......Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2009 6:21am
Thanks for the code.The default receive connector has the "ms-exch-smtp-accept-authoritative-domain-sender" permission assigned. Is that normal? After reading the article it seems to be common on Exchange 2007?
March 6th, 2009 9:56pm
Hello,Yep, if you have configured default receive connector to receive email from internet then it gives below permissions to Anonymous users.Ms-Exch-SMTP-SubmitMs-Exch-SMTP-Accept-Any-SenderMs-Exch-SMTP-Accept-Authoritative-Domain-SenderMs-Exch-Accept-Headers-RoutingAmit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2009 10:22pm
So running the command "Get-ReceiveConnector "Default" | Get-ADPermission -user "NT AUTHORITY\Anonymous Logon" | where {$_.ExtendedRights -like "ms-exch-smtp-accept-authoritative-domain-sender"} | Remove-ADPermission" should stop that. I'll run the command after hours and then run another "Get-MessageTrackingLog -Server mailexchange -ResultSize Unlimited -Start "1/25/2009 8:00AM" -End "1/25/2009 5:00PM" | where{$_.recipients -eq $_.sender}" and see if it makes a difference in spam traffic.Thanks again.
March 7th, 2009 12:36am
Yes, wait for a day to observe the situation and don't forgot to change the data and time in message tracking log cmdlet.Amit Tank | MVP - Exchange | MCITP:EMA MCSA:M | http://ExchangeShare.WordPress.com
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2009 12:39pm