Tracking Outbound messages

Posted on 2006-05-19
Last Modified: 2010-03-06

One of the users on our exchange server 2003 system is having a situation where it looks as though some program is sending out emails to other email addresses. The reason we know this is because a couple of times a day they are getting bounced email from one specific email address. We have run virus scans on both the users computer and on the exchange serverAs of right now both computers now appear to be free of viruses. However this user is still getting the bounced email's.

I have looked at the Exchange system manager and used the message tracking center to look for emails that this user sent, but going through and looking at the message properties of each message seems like a very slow and clunky way to look for these messages. When I did a short search for a couple of days I did not see anything that was being sent from our system to the email address that is in question.

Is there any easy way of monitoring all of the outbound email that our exchange server is sending out?

Thanks in advance  
Question by:apilkington
    LVL 12

    Accepted Solution

    the message tracking center is pretty much the only built-in way (that i know of) to monitor outbound messages. but it does allow you to filter for quite a lot of things, like sender, recipient, time sent etc.. have you tried just searching for all messages around the time of the NDRs sent to that address? NDRs are sent almost immediately by most servers, so if the email really did come from your network, you'd see it within a few minutes of that time frame. if you find nothing, you're probably ok. remember that many worms spoof their sender addresses so it could be that someone who has your user on his contact list has a worm that is spoofing your users address when it sends out emails.
    LVL 12

    Expert Comment

    and in that case, the NDR would be delivered to your user by the recipient's server, not to the actual sender.

    Author Comment

    To craskin, this makes sense to me and when I once again get some time to make this issue the priority I will try to look at this information.

    To Venabili, just because this is a very low priority issue within our office does not mean that this question has been abandoned. It is more a case where for the last three weeks, other tasks have had higher priority then this particular issue within our office. If this question is closed then when I get back to the point of this task becoming a priority for me to work on I will be reasking this question. By no way has this issue been resolved. do what ever needs to be done but this issue is not as far as I am concerned an abandoned issue as far as I am concerned.
    LVL 20

    Expert Comment

    If there are no comments in teh last 21 days, it is abandoned.

    And not answering to the experts for 3 weeks is rude. They volunteered their time to help you...

    Author Comment


    I would like to apologize for not answering to the experts who had attempted to answer the question that I had asked. I posted the question on a friday afternoon when things seemed like they were slow. On Monday morning when I showed up at work and received the email showing I had a response to my question I also had other fires that had come up over the weekend that I needed to deal with. I think that even if I had tried to post a response to that message the response would have said something like "Thanks for the information, I will use this information when this issue becomes a priority again" and the question would still have sat waiting for me to get a chance to look into what was going on.

    I have to really apologize for even asking the question when I did, because for the last four weeks researching this issue has been a priority of mine. If I had known how things were going to work out I would not have asked the question when I did.

    Having said that, today this issue has finally made it back to being a priority of mine. I have been able to find out what is happening with these email's that are showing up. The email that NDR message is in response to are not coming from within our domain, but rather are being sent by from an email address that is related to an old website of one of our clients. The website that the messages are being sent from currently consists of an HTML page that redireects anyone browsing to this website to the website that we developed for this client.

    The user within our office who is getting these emails was the user that we had setup to forward the emails for the old site to. What it appears that we need to do is gain access to the old site and change some settings. This is going to be a task for someone else within our company.


    Featured Post

    Don't lose your head updating email signatures!

    Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!

    Join & Write a Comment

    Suggested Solutions

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now