How do i get a detailed report on a message RRS feed

  • Question

  • So one user started to received spam including zip files containing malware.

    The email now says that the email came from herself... such sent to

    It is very unlikely that she or a malware on her computer is creating those emails

    And for some reason, even though much of the spam gets scan and delete by the anti-virus ....this one gets through

    On Exchange 2010 I could use the Message Tracking tool that would allow to see pretty much anything about the email...from what I remember

    The Message Tracking tool isn't anymore on Exchange 2013 (pretty stupid) and using the || Get-MessageTrackingLog -Start "2016-03-18 11:25:00" -End "2016-03-18 11:45:00" | Out-GridView || isn't giving me anymore information that was I was able to see in the email

    The source code of that email isn't saying anything within the mailbox of that user

    So how do I get to know where this email came from...?

    Thank you

    • Edited by Matt_1689 Sunday, March 20, 2016 10:12 AM
    Sunday, March 20, 2016 10:11 AM


All replies

  • what does the email header say
    Sunday, March 20, 2016 3:33 PM
  • From Outlook Web since i'm not in the office

    I've replaced my server name SERVERNAME, domain name DOMAINNAME, IP address with and that user name USERNAME

    So instead of trying to check the source code I had the option to see the "message detail" from there

    I guess I would have to ban this IP address

    Received: from ( by ( with Microsoft SMTP Server (TLS) id
     15.0.1130.7 via Mailbox Transport; Fri, 18 Mar 2016 11:32:14 -0400
    Received: from ( by ( with Microsoft SMTP Server (TLS) id
     15.0.1130.7; Fri, 18 Mar 2016 11:32:14 -0400
    Received: from ( by ( with Microsoft SMTP Server id
     15.0.1130.7 via Frontend Transport; Fri, 18 Mar 2016 11:32:14 -0400
    From: <>
    To: <>
    Subject: Document2
    Thread-Topic: Document2
    Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg==
    Date: Fri, 18 Mar 2016 11:31:05 -0400
    Message-ID: <A8205534290924C8D9A755CA25C8DB501@BORO-SBS.boro.local>
    Accept-Language: en-GB, en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    x-originating-ip: []
    Content-Type: multipart/mixed;
    MIME-Version: 1.0
    X-MS-Exchange-Organization-Network-Message-Id: e80001ee-ca0f-4084-2258-08d34f427b59
    X-EndpointSecurity-0xde81-EV: v:, d:int, a:n, w:t, t:46, sv:1458291754, ts:1458315134
    X-MS-Exchange-Organization-AuthAs: Anonymous

    Sunday, March 20, 2016 6:24 PM

    looks bad to be, perhaps should buy spam appliance and put between your exchange server and internet

    Sunday, March 20, 2016 6:55 PM
  • Hi,

    Command like this:

    Get-MessageTrackingLog -Recipient "UserName" -MessageSubject "Subject line"

    And try to block sender domain to check this issue.

    Or consider to use Exchange Edge Server.

    Best Regards.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact

    TechNet Community Support

    Monday, March 21, 2016 8:30 AM