Need help tracking local sender IPs on Exchange 2010

tamray_tech
tamray_tech used Ask the Experts™
on
We have upwards of 500+ NDR notices, daily,  coming back to our Exchange 2010, destined for a single email address. This occurs even if the users PC is wiped and not in use. We are trying to find a way, within Exchange that we can identify the private IP of the possible compromised culprit.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
Senior Network Consultant / Engineer
Commented:
You could use powershell to do a quick parse of the tracking logs.

get-messagetrackinglog | group -property clientip

Open in new window


You can see what ip is sending the most.

(disclaimer: I have not tested this and am typing from memory. Please check the Exchange command syntax)
tamray_tech

Author

Commented:
Anyway to expand the results? Gives me 3 highest senders, which are the exchange server, relay server and content filter.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
How many Exchange servers do you have? You should run it against each one that has the hub transport.

If all you get is the 3 IP then no clients are submitting to the Exchange server you queried.
tamray_tech

Author

Commented:
Just the one, but have discovered that the school content filter IP comes into play here as the source for all smtp traffic, so attempting do discover what workstations send the most smtp traffic.

Thank you for your assistance.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Sorry I couldn't be more help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial