Solved

Exchange 2013 - Check who or what computer sent an email

Posted on 2013-12-11
11
1,131 Views
Last Modified: 2014-01-07
Trying to figure out what user or what computer is sending out spam through our Exchange 2013 server. 99% sure it is internal.

Did this: Get-MessageTrackingLog -ResultSize Unlimited  | Out-GridView

And it doesn't give me much to go on. Is there a better way to do this?
0
Comment
Question by:mvalpreda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 15

Expert Comment

by:achaldave
ID: 39711741
Do you have subject or any more details, you can narrow down results of get-messagetrackinglog output by specifying those details.

Also. do you have any smtp relay connector or relay server, check the headers on one of the spams, it should show the originating server ip/name, it might be one of your web server allowed to relay messages.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 39711752
I have a bunch of bounce messages. That is all. This used to be a lot easier in 2010!
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 39711791
It's not spam, it's something from Client Submission Probe. It's flooding my queues.

1) Sender Healthmailbox@domain.local
This is a Probe Mapi message that's Submitted from Store to Mailbox transport Submission service to Hub transport service

2) Sender Healthmailbox@domain.local
Subject : Client Submission Probe

3) Sender : Inbound Proxy Probe
No subject/content
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39711828
That is Exchange sending those messages.
You wouldn't normally see them in the queues, so something is wrong.
Have you attempted to clean up the databases or mailboxes recently?

If you run this command then you should see these special mailboxes:
Get-Mailbox -Monitoring

Simon.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 39711851
I realized that is Exchange....now. :)

I see three of those "health" mailboxes in there. I have not done anything on this machine. In fact I have not even done updates on it in 2 months!
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39711891
CU3 was released last week, I would suggest that you start by updating the server.
There was also a security update for Exchange 2013 released last night.

Simon.
0
 
LVL 15

Expert Comment

by:achaldave
ID: 39711900
Check for original-client-ip on message tracking logs.

Since it is internal mailbox and name suggests it is shared mailbox, it narrows down to list of people who has access to the mailbox or has send-as permission on the mailbox.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 39711918
Doing updates now.
0
 
LVL 2

Author Comment

by:mvalpreda
ID: 39711967
Nothing in the queues since updates/reboot. I'll keep an eye on it.
0
 
LVL 7

Expert Comment

by:dsnegi_25dec
ID: 39715873
this is by design it do the monitoring for databases for every database they hve two system mailboxes 1 for database & another for public folder database
0
 
LVL 2

Author Closing Comment

by:mvalpreda
ID: 39763584
I hate when a reboot fixes things......
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Export list of Exchange Online user's Photo 4 45
Exchange server Error 3 39
Exchange server take over 4 53
Exchange 2013 Message Tracking 3 34
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question