Spam / spoof analysis of exchange logs

pma111
pma111 used Ask the Experts™
on
We need to do some analysis of exchange tracking logs to determine the success of the spam / spoof filter settings and configuration. I am looking for some sample criteria on what would constitute a possible spam email thats crept through. Some searches online show where the from and to values (address fields) represent the same value could indicate spam/spoofing. Can you confirm or provide any other criteria.

I was also interested into what tools outside of exchange server could be used to interogate/analyse the exchange tracking logs if anyone has any suggestions.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
First what software are you using for spam filtering?

Author

Commented:
The exchange admins have recently  made some changes to 'sender policy framework'.

Author

Commented:
They just use in buillt exchange tools for anti-spam/spoof.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
These tools are not enabled by default, so did you install the anti-spam tools. Also if you did, I would recommend removing it and getting a 3rd party utility or 3rd party hosted solution. MS anti-spam tool is really junk and cause a ton of mail flow issues at times. just my opinion.

Author

Commented:
I will feed this back as I dont look after exchange but they want some data analysis of the logs regardless of the anti spam / spoof solution and some common indicators of spam spoof which has passed through which is what I was wanting to focus on.
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
I will allow someone with more experience using the anti spam features to reply. I have ideas but there may be a simpler way to get your results.

Author

Commented:
Your ideas are most welcome.
Exchange Engineer
Distinguished Expert 2018
Commented:
Ok, when I used the anti-spam features of Exchange it was during Exchange 2010 and made sure to never use it again, but at that time there was no direct reporting tab to review schematics on how muc spam came into the org, and I'm not sure if that changed with Exchange 2016, but in O365 there is direct reporting. If there is no direct reporting in exchange 2016 once the anti-spam features are installed, you can send all definite spam emails to a quarantine mailbox which would allow you to delete it at will, once you get a chance to report what the quarantine mailbox is catching, and secondly you can have it append "Suspected Spam" to email subjects that it thinks is spam but still allowed to deliver to the user. With that you can run message tracking logs to review all emails with "Suspected Spam" in the subject by date ranges.

Those are 2 things you can try if direct reporting isn't available in Exchange 2016 with the installation of the anti-spam features. Also I'm assuming 2016 or 2013 is what you are using, but either way without direct reporting that is how you can still get some type of info on how your solution is working.
Use agent logs instead. It will show you what built-in antispam agent has blocked the message or let it thru.
https://technet.microsoft.com/en-us/library/bb124795(v=exchg.150).aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial