Re: Tracking where mail is coming from. by karl
karl
Wed Dec 21 06:58:25 CST 2005
"James McKillop" <JamesMcKillop@discussions.microsoft.com> wrote in message
news:516734DE-EFA8-4B3F-9083-4D9403C0E417@microsoft.com...
> We are getting about 800 mails an hour that are trying to go out on our
> exchange server. We know that it is internal to the company but not which
> subnet it is coming from. Can any of you tell me how to use performance
> monitor to find out what IP it is coming from? If you can help I would
> really appreciate it.
I would not use performance monitor. I would consider using a sniffer such
as www.ethereal.com run on your exchange server. It helps if you do the
sniffing at a time when you believe the infected computer [assuming that's
what it is] is the only machine contacting the email server, such as outside
normal business hours.
If the email is arrivign via SMTP, then you can enable full debug logging in
exchange for the Internet Mail Connector in the Exchange administration
tool. Google search for "internet-mail-connector debug logging" for
information, or read the documentation that came with exchange. Doing that
won't find anything if it isn't coming into your server through SMTP, but
there may be logging properties on other protocol connectors.
You might also try temporarily using your firewall or another method for
temporarily blocking your email server from sending out email. A backlog of
email files should start collecting on your server that you can then inspect
for more information. That may not give you the information you're looking
for, depending. Doing this for less than 8 hours shouldn't cause any email
to be lost or dropped, just delayed.