locked
MS Exchange 2007 : How to trace from Which IP Address Email came from. RRS feed

  • Question

  • Hello,

    I want to Trace the IP Address of the Client Computer Which is sending Email. 

    How can I trace from which IP Address Email came from in Exchange 2007 ?

    Please help me

    Friday, December 30, 2011 8:39 AM

Answers

All replies

  • Hi eShop-IT,

    If you are using a MAPI-session (Outlook) you have to use the message tracking:
    http://www.msexchange.org/tutorials/exchange-2007-message-tracking-part1.html

    If you want to audit SMTP you have to use the SMTP-Logging:
    http://exchangepedia.com/2007/05/exchange-server-2007-logging-smtp-protocol-activity.html

    To better analyse this logs you can use logparser:
    http://blogs.technet.com/b/exchange/archive/2007/09/12/3403903.aspx


    Viele Grüße
    Christian

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer"; if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Sophia Xu Monday, January 2, 2012 6:27 AM
    Friday, December 30, 2011 8:45 AM
  • Thanks,

    Whether i will get the Client Computer IP Address in this Logs.

    Friday, December 30, 2011 10:16 AM
  • Hi eShop-IT,

    Thanks,

    Whether i will get the Client Computer IP Address in this Logs.

    Yes you will see it in both logs...


    Viele Grüße
    Christian

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer"; if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, December 30, 2011 8:39 PM
  • Hi,

    There is no integrated Exchange tool can get the IP address for the MAPI clients. You can only use Network Monitor to capture the data


    Regards from www.windowsadmin.info | www.blog.windowsadmin.info
    • Marked as answer by Sophia Xu Monday, January 2, 2012 6:27 AM
    Saturday, December 31, 2011 4:51 AM
  • I just had to do this and netmon is the only way. and even then you have to do it circumstantially. 

    I had to run the packet sniff first. then, i waited for an email failure to pop up in the queue. then, using that time stamp, i was able to look at the packet sniff and get the internal IP that was sending at that time. 

    The SMTP logs won't show you the IP and tools like ExMon will show you the mapi session. But if a PC has a bot and it is simply using the internal SMTP relay (which most exchange servers are set to be, open relays internally) then it won't show on MAPI. you need to go down to the packet level.


    PJ McGhee


    • Edited by PJ McGhee Saturday, October 25, 2014 3:55 AM
    Saturday, October 25, 2014 3:53 AM