Link to home
Create AccountLog in
Avatar of tamray_tech
tamray_tech

asked on

Need help tracking local sender IPs on Exchange 2010

We have upwards of 500+ NDR notices, daily,  coming back to our Exchange 2010, destined for a single email address. This occurs even if the users PC is wiped and not in use. We are trying to find a way, within Exchange that we can identify the private IP of the possible compromised culprit.
ASKER CERTIFIED SOLUTION
Avatar of Jeremy Weisinger
Jeremy Weisinger

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of tamray_tech
tamray_tech

ASKER

Anyway to expand the results? Gives me 3 highest senders, which are the exchange server, relay server and content filter.
How many Exchange servers do you have? You should run it against each one that has the hub transport.

If all you get is the 3 IP then no clients are submitting to the Exchange server you queried.
Just the one, but have discovered that the school content filter IP comes into play here as the source for all smtp traffic, so attempting do discover what workstations send the most smtp traffic.

Thank you for your assistance.
Sorry I couldn't be more help.