none
How do i get a detailed report on a message RRS feed

  • Question

  • So one user started to received spam including zip files containing malware.

    The email now says that the email came from herself... such a@a.com sent to a@a.com

    It is very unlikely that she or a malware on her computer is creating those emails

    And for some reason, even though much of the spam gets scan and delete by the anti-virus ....this one gets through

    On Exchange 2010 I could use the Message Tracking tool that would allow to see pretty much anything about the email...from what I remember

    The Message Tracking tool isn't anymore on Exchange 2013 (pretty stupid) and using the || Get-MessageTrackingLog -Start "2016-03-18 11:25:00" -End "2016-03-18 11:45:00" | Out-GridView || isn't giving me anymore information that was I was able to see in the email

    The source code of that email isn't saying anything within the mailbox of that user

    So how do I get to know where this email came from...?

    Thank you


    • Edited by Matt_1689 Sunday, March 20, 2016 10:12 AM
    Sunday, March 20, 2016 10:11 AM

Answers

All replies

  • what does the email header say
    Sunday, March 20, 2016 3:33 PM
  • From Outlook Web since i'm not in the office

    I've replaced my server name SERVERNAME, domain name DOMAINNAME, IP address with 192.192.192.192 and that user name USERNAME

    So instead of trying to check the source code I had the option to see the "message detail" from there

    I guess I would have to ban this IP address 190.171.216.35

    Received: from SERVERNAME.ad.DOMAINNAME.com (192.192.192.192) by
     SERVERNAME.ad.DOMAINNAME.com (192.192.192.192) with Microsoft SMTP Server (TLS) id
     15.0.1130.7 via Mailbox Transport; Fri, 18 Mar 2016 11:32:14 -0400
    Received: from SERVERNAME.ad.DOMAINNAME.com (192.192.192.192) by
     SERVERNAME.ad.DOMAINNAME.com (192.192.192.192) with Microsoft SMTP Server (TLS) id
     15.0.1130.7; Fri, 18 Mar 2016 11:32:14 -0400
    Received: from static-ip-adsl-190.171.216.35.cotas.com.bo (190.171.216.35) by
     SERVERNAME.ad.DOMAINNAME.com (192.192.192.192) with Microsoft SMTP Server id
     15.0.1130.7 via Frontend Transport; Fri, 18 Mar 2016 11:32:14 -0400
    From: <USERNAME@DOMAINNAME.com>
    To: <USERNAME@DOMAINNAME.com>
    Subject: Document2
    Thread-Topic: Document2
    Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg==
    Date: Fri, 18 Mar 2016 11:31:05 -0400
    Message-ID: <A8205534290924C8D9A755CA25C8DB501@BORO-SBS.boro.local>
    Accept-Language: en-GB, en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-originating-ip: [192.168.0.28]
    Content-Type: multipart/mixed;
     boundary="_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_"
    MIME-Version: 1.0
    Return-Path: USERNAME@DOMAINNAME.com
    X-MS-Exchange-Organization-Network-Message-Id: e80001ee-ca0f-4084-2258-08d34f427b59
    X-EndpointSecurity-0xde81-EV: v:6.2.7.721, d:int, a:n, w:t, t:46, sv:1458291754, ts:1458315134
    X-MS-Exchange-Organization-AuthSource: SERVERNAME.ad.DOMAINNAME.com
    X-MS-Exchange-Organization-AuthAs: Anonymous

    Sunday, March 20, 2016 6:24 PM
  • static-ip-adsl-190.171.216.35.cotas.com.bo

    http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a190.171.216.35&run=toolpage

    looks bad to be, perhaps should buy spam appliance and put between your exchange server and internet

    Sunday, March 20, 2016 6:55 PM
  • Hi,

    Command like this:

    Get-MessageTrackingLog -Recipient "UserName" -MessageSubject "Subject line"

    And try to block sender domain to check this issue.

    https://technet.microsoft.com/en-us/library/bb124087%28v=exchg.150%29.aspx

    Or consider to use Exchange Edge Server.

    https://technet.microsoft.com/en-us/library/bb124701%28v=exchg.150%29.aspx

    Best Regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Lynn-Li
    TechNet Community Support

    Monday, March 21, 2016 8:30 AM
    Moderator