Spam / spoof analysis of exchange logs

We need to do some analysis of exchange tracking logs to determine the success of the spam / spoof filter settings and configuration. I am looking for some sample criteria on what would constitute a possible spam email thats crept through. Some searches online show where the from and to values (address fields) represent the same value could indicate spam/spoofing. Can you confirm or provide any other criteria.

I was also interested into what tools outside of exchange server could be used to interogate/analyse the exchange tracking logs if anyone has any suggestions.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
First what software are you using for spam filtering?
0
pma111Author Commented:
The exchange admins have recently  made some changes to 'sender policy framework'.
0
pma111Author Commented:
They just use in buillt exchange tools for anti-spam/spoof.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

timgreen7077Exchange EngineerCommented:
These tools are not enabled by default, so did you install the anti-spam tools. Also if you did, I would recommend removing it and getting a 3rd party utility or 3rd party hosted solution. MS anti-spam tool is really junk and cause a ton of mail flow issues at times. just my opinion.
0
pma111Author Commented:
I will feed this back as I dont look after exchange but they want some data analysis of the logs regardless of the anti spam / spoof solution and some common indicators of spam spoof which has passed through which is what I was wanting to focus on.
0
timgreen7077Exchange EngineerCommented:
I will allow someone with more experience using the anti spam features to reply. I have ideas but there may be a simpler way to get your results.
0
pma111Author Commented:
Your ideas are most welcome.
0
timgreen7077Exchange EngineerCommented:
Ok, when I used the anti-spam features of Exchange it was during Exchange 2010 and made sure to never use it again, but at that time there was no direct reporting tab to review schematics on how muc spam came into the org, and I'm not sure if that changed with Exchange 2016, but in O365 there is direct reporting. If there is no direct reporting in exchange 2016 once the anti-spam features are installed, you can send all definite spam emails to a quarantine mailbox which would allow you to delete it at will, once you get a chance to report what the quarantine mailbox is catching, and secondly you can have it append "Suspected Spam" to email subjects that it thinks is spam but still allowed to deliver to the user. With that you can run message tracking logs to review all emails with "Suspected Spam" in the subject by date ranges.

Those are 2 things you can try if direct reporting isn't available in Exchange 2016 with the installation of the anti-spam features. Also I'm assuming 2016 or 2013 is what you are using, but either way without direct reporting that is how you can still get some type of info on how your solution is working.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davorinCommented:
Use agent logs instead. It will show you what built-in antispam agent has blocked the message or let it thru.
https://technet.microsoft.com/en-us/library/bb124795(v=exchg.150).aspx
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.