As part of an effort to consolidate a bunch of separate AD domains we’ve ended up with via acquisitions, I’ve been working on retiring an Exchange Organisation that’s no longer required. Although all the mailboxes have long been migrated to a new Exchange Org, loads of internal hosts are still using the old servers as SMTP relays.
The SMTP protocol logs from Exchange stored loads of data about the SMTP conversations it has, so it’s fairly easy to figure out exactly what’s been relaying through your Exchange servers LogParser is a pretty old tool but it’s really good for analysing log files like these. You can effectively have it run SQL-like queries using a whole folder of logs files as a data source.
Get LogParser from Microsoft - https://technet.microsoft.com/en-gb/scriptcenter/dd919274.aspx
Get the Exchange SMTP Logs
On Exchange 2013, they tend to be here (if Exchange is installed on the C: drive)
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive
I think the logs for Exchange 2010 are in a similar place, although I’ve not got a Ex2010 server check this on.
On an Exchange 2003 machine, check the Properties page of the SMTP Virtual Server on each of the Exchange servers and set up the logging there. You can select different formats, I’ve used “W3C Extended Log File Format”.
After a few weeks of logging, pick up the files from all the servers and stick them into one directory. You’ll probably find a lot of duplicate file names, so I’ve found it helps to rename the files from each server so they’ve got a unique prefix on them (like the server name itself) before copying them all into one directory.
Run this to rename all the files in a folder and stick “myservername_” in front of the filename:
`for /f "tokens=*" %a in ('dir /b') do ren "%a" "myservername_%a"`Finding Top Sender IP
Paul Cunningham’s post on Practical365.com describes how to get top senders by number of emails using the following query:
SELECT client-ip as IP,
REVERSEDNS(client-ip) as Name,
Count(*) as Hits
FROM *.log
WHERE (event-id="RECEIVE")
GROUP BY IP
ORDER BY Hits DESCYou run this by changing to the folder containing the log files you want to query and run LogParser passing in the query:
`"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT client-ip as IP,REVERSEDNS(client-ip) as Name,Count(*) as Hits from *.log WHERE (event-id='RECEIVE') GROUP BY IP ORDER BY Hits DESC" -i:CSV -nSkipLines:4 -rtp:-1`If you know exactly what each server does, then the list of IP addresses might be enough for you to jump onto each machine and alter whatever service on the machine is sending emails. Sometimes it isn’t obvious what service on a machine is actually sending the emails. Sometimes there could be multiple services on a server, each sending emails and each with it’s own SMTP settings.
Finding the FROM addresses in emails from a specific host
I found it helpful to see what the FROM address on the emails are, as it gives a clue as to what service is sending the emails. I put the following together to query the FROM addresses used on emails sent from a specific host:
`"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<') as From, count(EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<')) as Hits from *.log WHERE remote-endpoint LIKE '%SERVERIP:%' and data LIKE '%FROM%' GROUP BY EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<') ORDER BY Count(EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<')) DESC" -i:CSV -nSkipLines:4 -rtp:-1`Finding the TO addresses in emails from a specific host
Similarly, it can be helpful to see the TO address that the emails were sent to. Even if that in itself doesn’t help, you might be able to go to the recipient of the email and ask them what the nature of the email was as that might help track down the service that sent it. This will give you the TO addresses used on emails sent from a specific host:
`"C:\Program Files (x86)\Log Parser 2.2\logparser.exe" "SELECT EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<') as From, count(EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<')) as Hits from *.log WHERE remote-endpoint LIKE '%SERVERIP:%' and data LIKE '%RCPT TO%' GROUP BY EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<') ORDER BY Count(EXTRACT_SUFFIX(EXTRACT_PREFIX(data,0,'>'),0,'<')) DESC" -i:CSV -nSkipLines:4 -rtp:-1`