Avatar of rcil_admin

asked on 

Identifying Exchange Client IP

Our domain has been blacklisted and after some digging it looks like one of our user's address book may have been exploited. I turned on verbose logging on the send connector and all of the outbound messages are from one user. I disabled that user's network adapter on their workstation but the problem still persists. I was disappointed when I realized that the client machine's IP address is not in the SMTP log, only the local and remote mail servers.

So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?
ExchangeEmail ServersEmail Protocols

Avatar of undefined
Last Comment
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image

You might try tracking the email activity through Exchange System Manager. Use the user's email  address in the sender's field and see if the IP is included.

Also, if you know someone who received an email from that client, have them check the internet headers. It might be there.

I've had this happen before on a large client and I installed inboive and outbound spam filtering which detects this activity and blocks the spam from being delivered.

You can also activate a rure in your firewall that only accepts outgping email from Exchange. Most viruses don't send email out through the exchange system.

Hope this suggestions help.
Avatar of ChiefTechGuru

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of rcil_admin


I probably should have included this information. I am using ISA 2006 and have a rule that only allows SMTP to the internet from the mail server. When I look at monitoring on the ISA server, I see connections from the Exchange server's private address to internet addresses. When I look at SMTP logging on the exchange server, I can see the user that is originating the messages.

I agree, I have only seen these go out, outside of exchange. This is what prompted me to create the rule a while back. I'm not that great with packet sniffers but I will give that a shot.
Avatar of ChiefTechGuru

Confirm that ISA is actually blocking port 25 (SMTP) by attempting to telnet to external mail server over port 25.  Have you changed password on user account in question?  This SHOULD stop the SPAM.  Also, at the server, run command NET SESSION, or go to Computer Management, Shared Folders, Sessions.  This will display active connections, with user/computer/IP info.  
Avatar of rcil_admin


As it turns out, an infected PC was indeed sending SMTP to the internet. Not sure why but I had to move my access rule in ISA up in priority to correct it. Weird though, nothing has changed on the ISA server. I initially looked at the rule and saw that it was not disabled so I moved on. I should have used telnet from a client to test SMTP, I would have saved myself a lot of time by not trusting my eyes, first rule right?

Thanks for you help!

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo