Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

How to log MAPI connections to Exchange 2003 ?

Hello,

Environment summary: SBS 2003 (2 NICs configuration) SP2, Windows XP SP3, Outlook 2007 SP2

One of our client computers seems to be infected with some malware, causing the computer to send spam.
We use our ISP mail relay and we have been prevented to send emails after some spams were sent from our IP address.
We've run an extra antivirus scan on our computers (we use Trend Micro).

From time to time, I do see a batch of spam ending in our Exchange queues.

I've turned on some diagnostic/logging options in Exchange 2003, but it does not seem to log the information that I am looking for: who is connecting to Exchange to submit the spam. I would like to be able to correlate the spams I see in the queues with the name or IP address of the computer that actually sent the spams.

Thanks
0
xmi
Asked:
xmi
  • 2
1 Solution
 
aoakeleyCommented:
You have asked to turn on MAPI logging, but you will probably fnd that SMTP logging will be more useful.

To turn on SMTP logging; You can find this in the properties of the SMTP Virtual Server. This will create a log file to c:\windows\system32\logfiles\SMTPXXX\ in here is where you will find the info you want.

Whil in the properties of the SMTP virtual server check who can relay through your server. I suggest
- removing "authenticated users" from the "allow users to relay" list
- untick "Allow computers that successfully authenticate to relay"
You can find these options on this page http://www.eclarsys.com/images/exchange_relay.gif

Users using outlook do not need this to be ticked for them to send email, and if you have weak passwords someone could have guessed a password and is using this to relay.
0
 
xmiAuthor Commented:
I should have mentionned that the server was not acting as open relay.

In the mean time, I found the cause of our problem: an automatic forward rule to a gmail account. Some spams, not detected by IMF or Trend Micro were automatically forwarded to the gmail account and detected by our service provider.

As far as MAPI is concerned, I will test the ExMon tool to monitor it.

0
 
xmiAuthor Commented:
Found the answer by myself
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now