none
Track relay emails from specific host ? RRS feed

  • Question

  • There is a specific Oracle host machine with IP 10.x.x.x  relaying emails through our exchange server, I need to know a way to look out track this i.e is there a cmdlet I can directly execute in shell to verify when this particular 10.x.x.x host relayed emails and who where recipients in same . Please suggest .  



    Aditya Mediratta

    Wednesday, June 15, 2016 11:49 PM

Answers

  • Hi Aditya,

    Per my test, there's a tool named: LogParser which provides universal query access to text-based data, such as protocol log and message tracking log. Please refer to the following articles:

    http://exchangeserverpro.com/exchange-2010-report-top-sender-ips-log-parser/ 

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    Best regards,

     



    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Friday, June 17, 2016 8:31 AM
    Moderator
  • Hi Aditya,

    We can refer to the following article to add some parameters:

    http://exchangeserverpro.com/generate-smtp-error-statistics-using-log-parser-and-exchange-server-2010-protocol-logs/

    Hope it helps.

    Best regards,

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.


    Monday, June 20, 2016 10:59 AM
    Moderator
  • Hello Aditya ,

    In addition to all the suggestions , Please look for the field "clientip" in the message tracking and that would reveals the application server ip address .

    Get-TransportService | Get-MessageTrackingLog -Sender "nithyanandham.s@abc.com" -ResultSize unlimited -MessageSubject "test" | Select-Object eventid,sender,timestamp,OriginalClientIp,connectorid,@{Name="Recipients";Expression={$_.recipients}},@{Name="RecipientStatus";Expression={$_.recipientstatus}},messagesubject | Export-csv c:\nithya.csv

    In few cases messages will be relayed through the load balancers so on such case , it will show the load balancers ip address in the clientip field rather than showing the original ip address of the application server .So on such cases you need to do some additional configurations on the Load Balancer to get the original ip address of the application servers in the future mail transactions.


    Thanks & Regards S.Nithyanandham

    Monday, June 20, 2016 3:13 PM

All replies

  • You can enable SMTP protocol logging on the appropriate receive connector(s) and look in the resulting protocol log for the SMTP session.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, June 16, 2016 12:26 AM
    Moderator
  • Hi Aditya,

    There are two ways to achieve this :

    First way we can use the command "Get-MessageTrackingLog" to get the message tracking log, or we can search the logs directly from the path: (install path)\Exchange Server\V15\TransportRoles\Logs\MessageTracking 

    Please refer to the following articles:

    https://social.technet.microsoft.com/Forums/office/en-US/88aa22d0-0b2b-42ea-80e2-f9ed02b3f831/exchange-2013-message-tracking-on-relay-connector?forum=exchangesvrgeneral

    https://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx 

    Second way as Ed Crowley mentioned we can enable the Protocol log and check the SMTP log on the appropriate receive connector, please refer to the following command and articles:

    Set-ReceiveConnector "receive connector name” -ProtocolLogging Verbose

    https://technet.microsoft.com/en-us/library/bb124531(v=exchg.150).aspx

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support


    Thursday, June 16, 2016 6:25 AM
    Moderator
  • Hello Ed,

    Protocol logging is enabled in our environment , I need to know a way to perform a filtered query against these logs to verify when this particular 10.x.x.x host relayed emails and who where recipients in same or indeed did 10.x.x.x host ever made a hit to our exchange servers for shooting out email or not . Please suggest  ?


    Aditya Mediratta

    Thursday, June 16, 2016 8:49 AM
  • Hi Aditya,

    Per my test, there's a tool named: LogParser which provides universal query access to text-based data, such as protocol log and message tracking log. Please refer to the following articles:

    http://exchangeserverpro.com/exchange-2010-report-top-sender-ips-log-parser/ 

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.

    Best regards,

     



    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Friday, June 17, 2016 8:31 AM
    Moderator
  • Hi Aditya,

    You can filter the receive connector logs in Excel and separated the column  by (,) and check the IP address in Remove end Point column or you can filter the logs through powershell as well by using the below command:-

    Get-ChildItem | Select-String -Pattern "IP address".


    Friday, June 17, 2016 10:08 AM
  • Hi Niko Cheng / yspintu

    Could you guys please suggest me custom LogParser query against these logs to verify when particular 10.x.x.x host relayed emails and who where recipients in same ?


    Aditya Mediratta

    Friday, June 17, 2016 2:22 PM
  • Hi Aditya,

    We can refer to the following article to add some parameters:

    http://exchangeserverpro.com/generate-smtp-error-statistics-using-log-parser-and-exchange-server-2010-protocol-logs/

    Hope it helps.

    Best regards,

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.


    Monday, June 20, 2016 10:59 AM
    Moderator
  • Hello Aditya ,

    In addition to all the suggestions , Please look for the field "clientip" in the message tracking and that would reveals the application server ip address .

    Get-TransportService | Get-MessageTrackingLog -Sender "nithyanandham.s@abc.com" -ResultSize unlimited -MessageSubject "test" | Select-Object eventid,sender,timestamp,OriginalClientIp,connectorid,@{Name="Recipients";Expression={$_.recipients}},@{Name="RecipientStatus";Expression={$_.recipientstatus}},messagesubject | Export-csv c:\nithya.csv

    In few cases messages will be relayed through the load balancers so on such case , it will show the load balancers ip address in the clientip field rather than showing the original ip address of the application server .So on such cases you need to do some additional configurations on the Load Balancer to get the original ip address of the application servers in the future mail transactions.


    Thanks & Regards S.Nithyanandham

    Monday, June 20, 2016 3:13 PM