Solved

How to log MAPI connections to Exchange 2003 ?

Posted on 2011-09-23
3
923 Views
Last Modified: 2012-08-14
Hello,

Environment summary: SBS 2003 (2 NICs configuration) SP2, Windows XP SP3, Outlook 2007 SP2

One of our client computers seems to be infected with some malware, causing the computer to send spam.
We use our ISP mail relay and we have been prevented to send emails after some spams were sent from our IP address.
We've run an extra antivirus scan on our computers (we use Trend Micro).

From time to time, I do see a batch of spam ending in our Exchange queues.

I've turned on some diagnostic/logging options in Exchange 2003, but it does not seem to log the information that I am looking for: who is connecting to Exchange to submit the spam. I would like to be able to correlate the spams I see in the queues with the name or IP address of the computer that actually sent the spams.

Thanks
0
Comment
Question by:xmi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Expert Comment

by:aoakeley
ID: 36585670
You have asked to turn on MAPI logging, but you will probably fnd that SMTP logging will be more useful.

To turn on SMTP logging; You can find this in the properties of the SMTP Virtual Server. This will create a log file to c:\windows\system32\logfiles\SMTPXXX\ in here is where you will find the info you want.

Whil in the properties of the SMTP virtual server check who can relay through your server. I suggest
- removing "authenticated users" from the "allow users to relay" list
- untick "Allow computers that successfully authenticate to relay"
You can find these options on this page http://www.eclarsys.com/images/exchange_relay.gif

Users using outlook do not need this to be ticked for them to send email, and if you have weak passwords someone could have guessed a password and is using this to relay.
0
 

Accepted Solution

by:
xmi earned 0 total points
ID: 36585892
I should have mentionned that the server was not acting as open relay.

In the mean time, I found the cause of our problem: an automatic forward rule to a gmail account. Some spams, not detected by IMF or Trend Micro were automatically forwarded to the gmail account and detected by our service provider.

As far as MAPI is concerned, I will test the ExMon tool to monitor it.

0
 

Author Closing Comment

by:xmi
ID: 36715171
Found the answer by myself
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month7 days, 10 hours left to enroll

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question