Solved

How to log MAPI connections to Exchange 2003 ?

Posted on 2011-09-23
3
900 Views
Last Modified: 2012-08-14
Hello,

Environment summary: SBS 2003 (2 NICs configuration) SP2, Windows XP SP3, Outlook 2007 SP2

One of our client computers seems to be infected with some malware, causing the computer to send spam.
We use our ISP mail relay and we have been prevented to send emails after some spams were sent from our IP address.
We've run an extra antivirus scan on our computers (we use Trend Micro).

From time to time, I do see a batch of spam ending in our Exchange queues.

I've turned on some diagnostic/logging options in Exchange 2003, but it does not seem to log the information that I am looking for: who is connecting to Exchange to submit the spam. I would like to be able to correlate the spams I see in the queues with the name or IP address of the computer that actually sent the spams.

Thanks
0
Comment
Question by:xmi
  • 2
3 Comments
 
LVL 17

Expert Comment

by:aoakeley
ID: 36585670
You have asked to turn on MAPI logging, but you will probably fnd that SMTP logging will be more useful.

To turn on SMTP logging; You can find this in the properties of the SMTP Virtual Server. This will create a log file to c:\windows\system32\logfiles\SMTPXXX\ in here is where you will find the info you want.

Whil in the properties of the SMTP virtual server check who can relay through your server. I suggest
- removing "authenticated users" from the "allow users to relay" list
- untick "Allow computers that successfully authenticate to relay"
You can find these options on this page http://www.eclarsys.com/images/exchange_relay.gif

Users using outlook do not need this to be ticked for them to send email, and if you have weak passwords someone could have guessed a password and is using this to relay.
0
 

Accepted Solution

by:
xmi earned 0 total points
ID: 36585892
I should have mentionned that the server was not acting as open relay.

In the mean time, I found the cause of our problem: an automatic forward rule to a gmail account. Some spams, not detected by IMF or Trend Micro were automatically forwarded to the gmail account and detected by our service provider.

As far as MAPI is concerned, I will test the ExMon tool to monitor it.

0
 

Author Closing Comment

by:xmi
ID: 36715171
Found the answer by myself
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now