>I realize exchange doesn't inject message headers on internal email so I'd
>like to know if there's a way to track emails by sender IP or hostname. 
>
>I'd like to set this up for both exchange 2k and 2k3, but 2k in particular. 
>I've set some of the exchange diagnostics logs to medium but I don't see
>anything regarding actual email transports, mainly just successful mailbox
>connections.
>
>If there's a specific diagnostic log I need enabled to track emails and to
>track their source, what is it, and level does it need to be set at?
>
>One other thing... Do I need to restart the server or exchange services
>after changing the level of logging from lets say, medium to maximum?  After
>changing the levels, it has no effect until I reboot.
>
>I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
>well, but those don't give me the source IPs.
>
>I already know how to look at the headers to track incoming mail from an
>external domain.  Basically all I want to do is track the workstation that a
>domain user sends an email from, that is directed to another domain user.
>I'd like to track this regardless of whether the sender uses, outlook, owa,
>etc...
>
>Can this be done?
>

"Mark Arnold [MVP]" wrote:

> On Tue, 4 Apr 2006 10:20:01 -0700, Ryan
> <R***@discussions.microsoft.com> wrote:
>
> >I realize exchange doesn't inject message headers on internal email so I'd
> >like to know if there's a way to track emails by sender IP or hostname. 
> >
> >I'd like to set this up for both exchange 2k and 2k3, but 2k in particular. 
> >I've set some of the exchange diagnostics logs to medium but I don't see
> >anything regarding actual email transports, mainly just successful mailbox
> >connections.
> >
> >If there's a specific diagnostic log I need enabled to track emails and to
> >track their source, what is it, and level does it need to be set at?
> >
> >One other thing... Do I need to restart the server or exchange services
> >after changing the level of logging from lets say, medium to maximum?  After
> >changing the levels, it has no effect until I reboot.
> >
> >I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
> >well, but those don't give me the source IPs.
> >
> >I already know how to look at the headers to track incoming mail from an
> >external domain.  Basically all I want to do is track the workstation that a
> >domain user sends an email from, that is directed to another domain user.
> >I'd like to track this regardless of whether the sender uses, outlook, owa,
> >etc...
> >
> >Can this be done?
> >
>
> I'm jolly interested in what your business case is for this little
> request. Someone may have a decent solution based on what you come
> back with. You can't do it in Exchange and it's a complex thing to do
> in AD.
>

"Ryan" wrote:

> The company wishing to have these emails tracked by their exchange server is
> experiencing some strange email problems.  I haven't been able to find a
> pattern yet, but  there have been emails mass-mailed to all domain users, or
> specific distribution lists. 
>
> The emails are exact when it comes to the recipient list, so its not a
> random list of recipients generated in hopes that one or more may be valid
> accounts.  All names in the recipient list are valid accounts. 
>
> Some of the emails in question are mass-mailed from internal users, who deny
> ever having sent them.  I believe them, but again, I haven't found a pattern.
> 
>
> I suspect I may be dealing with malware or some sort of mailing engine
> installed on one or more of the machines that has dug its way into outlook. 
> This is the main reason why I'd like track down the source of these emails
> without the overload of a packet sniffer.  The mail server also has, I
> believe, 5 network interfaces and is a 2000 SBS server so packet sniffing
> isn't very productive.
>
> We do have software like spybot and ms antispyware on most of the machines,
> but all machines are continuously updated with the latest antivirus
> definitions from their Symantec Antivirus 10 server.  The machines perform
> full scans daily, and all are currently clean. (as far as symantec antivirus
> is concerned)
>
> I'm not really looking for software to deploy across the network to scan for
> malware.... All I want is to track emails by the source workstation in
> exchange 2k.   There must be some way I can do it...
>
> "Mark Arnold [MVP]" wrote:
>
> > On Tue, 4 Apr 2006 10:20:01 -0700, Ryan
> > <R***@discussions.microsoft.com> wrote:
> >
> > >I realize exchange doesn't inject message headers on internal email so I'd
> > >like to know if there's a way to track emails by sender IP or hostname. 
> > >
> > >I'd like to set this up for both exchange 2k and 2k3, but 2k in particular. 
> > >I've set some of the exchange diagnostics logs to medium but I don't see
> > >anything regarding actual email transports, mainly just successful mailbox
> > >connections.
> > >
> > >If there's a specific diagnostic log I need enabled to track emails and to
> > >track their source, what is it, and level does it need to be set at?
> > >
> > >One other thing... Do I need to restart the server or exchange services
> > >after changing the level of logging from lets say, medium to maximum?  After
> > >changing the levels, it has no effect until I reboot.
> > >
> > >I have Exchange Email Tracking enabled, and SMTP protocol logging enabled as
> > >well, but those don't give me the source IPs.
> > >
> > >I already know how to look at the headers to track incoming mail from an
> > >external domain.  Basically all I want to do is track the workstation that a
> > >domain user sends an email from, that is directed to another domain user.
> > >I'd like to track this regardless of whether the sender uses, outlook, owa,
> > >etc...
> > >
> > >Can this be done?
> > >
> >
> > I'm jolly interested in what your business case is for this little
> > request. Someone may have a decent solution based on what you come
> > back with. You can't do it in Exchange and it's a complex thing to do
> > in AD.
> >
>
>