[HubTransport] How to find out user name from SenderID in Message trace log

We have an Edge Transport Server expose to internet and open relay has been disabled.

However, recently we find there are some spam email sent out from our email server.

We do not have any anonymous SMTP connectors in organization.

So ,we suspect there may be user password leakage, or there may be some computers have been compromised.  

As the email must send from an authenticated user from Exchange, we are trying to find out the user name of spam email.

We looking into Message Trace Log, find out the spam email message and e find a field named "Sender" with content "MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@domain".

While, the next question left , How to find out user name from above Sender?




July 3rd, 2013 4:49am
Would anybody know how to tackle this problem?
Free Windows Admin Tool Kit Click here and download it now
July 3rd, 2013 7:40pm

Hi

First check if it is an internal address or external address.

If it is an internal address, you can use below command to find detail information

Get-Recipient -resultSize unlimited | select name -expand emailAddresses | where {$_.smtpAddress -match "MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e"} | Format-Table name, smtpaddress

Cheers

If you have any feedback on our support, please click here

July 4th, 2013 2:28am

Hi, Zi,

Are you sure the Sender field matchs SmtpAddress in Recipient?

It seems all smtp addresss in recipient are in  readable format , like "junzhou@microsoft.com",

While the Sender field looks like an ID.

I can not find any result using Get-Recipient cmdlet. 

Sender Field

Free Windows Admin Tool Kit Click here and download it now
July 4th, 2013 8:37pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics