Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1234
  • Last Modified:

Exchange 2013 - Check who or what computer sent an email

Trying to figure out what user or what computer is sending out spam through our Exchange 2013 server. 99% sure it is internal.

Did this: Get-MessageTrackingLog -ResultSize Unlimited  | Out-GridView

And it doesn't give me much to go on. Is there a better way to do this?
0
mvalpreda
Asked:
mvalpreda
  • 6
  • 2
  • 2
  • +1
1 Solution
 
achaldaveCommented:
Do you have subject or any more details, you can narrow down results of get-messagetrackinglog output by specifying those details.

Also. do you have any smtp relay connector or relay server, check the headers on one of the spams, it should show the originating server ip/name, it might be one of your web server allowed to relay messages.
0
 
mvalpredaAuthor Commented:
I have a bunch of bounce messages. That is all. This used to be a lot easier in 2010!
0
 
mvalpredaAuthor Commented:
It's not spam, it's something from Client Submission Probe. It's flooding my queues.

1) Sender Healthmailbox@domain.local
This is a Probe Mapi message that's Submitted from Store to Mailbox transport Submission service to Hub transport service

2) Sender Healthmailbox@domain.local
Subject : Client Submission Probe

3) Sender : Inbound Proxy Probe
No subject/content
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Simon Butler (Sembee)ConsultantCommented:
That is Exchange sending those messages.
You wouldn't normally see them in the queues, so something is wrong.
Have you attempted to clean up the databases or mailboxes recently?

If you run this command then you should see these special mailboxes:
Get-Mailbox -Monitoring

Simon.
0
 
mvalpredaAuthor Commented:
I realized that is Exchange....now. :)

I see three of those "health" mailboxes in there. I have not done anything on this machine. In fact I have not even done updates on it in 2 months!
0
 
Simon Butler (Sembee)ConsultantCommented:
CU3 was released last week, I would suggest that you start by updating the server.
There was also a security update for Exchange 2013 released last night.

Simon.
0
 
achaldaveCommented:
Check for original-client-ip on message tracking logs.

Since it is internal mailbox and name suggests it is shared mailbox, it narrows down to list of people who has access to the mailbox or has send-as permission on the mailbox.
0
 
mvalpredaAuthor Commented:
Doing updates now.
0
 
mvalpredaAuthor Commented:
Nothing in the queues since updates/reboot. I'll keep an eye on it.
0
 
dsnegi_25decCommented:
this is by design it do the monitoring for databases for every database they hve two system mailboxes 1 for database & another for public folder database
0
 
mvalpredaAuthor Commented:
I hate when a reboot fixes things......
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now