• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 939
  • Last Modified:

How to log MAPI connections to Exchange 2003 ?

Hello,

Environment summary: SBS 2003 (2 NICs configuration) SP2, Windows XP SP3, Outlook 2007 SP2

One of our client computers seems to be infected with some malware, causing the computer to send spam.
We use our ISP mail relay and we have been prevented to send emails after some spams were sent from our IP address.
We've run an extra antivirus scan on our computers (we use Trend Micro).

From time to time, I do see a batch of spam ending in our Exchange queues.

I've turned on some diagnostic/logging options in Exchange 2003, but it does not seem to log the information that I am looking for: who is connecting to Exchange to submit the spam. I would like to be able to correlate the spams I see in the queues with the name or IP address of the computer that actually sent the spams.

Thanks
0
xmi
Asked:
xmi
  • 2
1 Solution
 
Andrew OakeleyConsultantCommented:
You have asked to turn on MAPI logging, but you will probably fnd that SMTP logging will be more useful.

To turn on SMTP logging; You can find this in the properties of the SMTP Virtual Server. This will create a log file to c:\windows\system32\logfiles\SMTPXXX\ in here is where you will find the info you want.

Whil in the properties of the SMTP virtual server check who can relay through your server. I suggest
- removing "authenticated users" from the "allow users to relay" list
- untick "Allow computers that successfully authenticate to relay"
You can find these options on this page http://www.eclarsys.com/images/exchange_relay.gif

Users using outlook do not need this to be ticked for them to send email, and if you have weak passwords someone could have guessed a password and is using this to relay.
0
 
xmiAuthor Commented:
I should have mentionned that the server was not acting as open relay.

In the mean time, I found the cause of our problem: an automatic forward rule to a gmail account. Some spams, not detected by IMF or Trend Micro were automatically forwarded to the gmail account and detected by our service provider.

As far as MAPI is concerned, I will test the ExMon tool to monitor it.

0
 
xmiAuthor Commented:
Found the answer by myself
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now