Steps to identify Source IP of SPAM in Exchange Server after we had resolved a outbound SPAM Mail issue
Check Message Queue and Stop the Spam
Verify the Queue with Get-Queue and noticed that user ([email protected]) is sending out Email with 300 recipients continuously
# List all Queue
Get-Queue
# List only Queue for External Email
Get-Queue -Exclude Internal
# List all the Email Message in particular queue
$SpamMail = Get-Queue -Exclude Internal | Get-Message | ? FromAddress -eq "[email protected]"
$SpamMail.Recipients.Count
300
The fastest solution is to modify the Maximum Recipients per Email from 500 (default) to 30 in TransportConfig
Set-TransportConfig -MaxRecipientEnvelopeLimit 30
Refer to Documentation from Microsoft on Set-TransportConfig for more detail information
There is no more new outbound SPAM Mail now, and we have to manually suspend & delete existing SPAM Email without NDR (Non Delivery Report) in the Queue
# Suspence Email in Queue
Get-Queue -Identity "IB-MBX02\7" | Get-Message | ? FromAddress -eq "[email protected]" | Suspend-Message
# Delete Email without NDR
Get-Queue -Identity "IB-MBX02\7" | Get-Message | ? FromAddress -eq "[email protected]" | Remove-Message --WithNDR $false
Please refer to the steps below to identify the source of the SPAM mail from
Verify SMTP Logs In Hub Transport Server
Download & Install Exchange SMTP Log Viewer to analyst the SMTP Communication with GUI
Log Files for Receive Connector
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive
Log Files for Send Connector
- C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend
However, it seem like Client IP Address is NOT recorded in SMTP Log Files
Identify Source IP of SPAM In Exchange with Get-MessageTrackingLog
Refer to my previous posts on Message Tracking Log with PowerShell for more example
Verify the source of the SPAM mail with Get-MessageTrackingLog by checking on Event ID = SUBMIT
$Sender = "[email protected]"
Get-MessageTrackingLog -Start (Get-Date).AddDays(-1) -Sender $Sender | ? EventID -like "SUBMIT" | Select TimeStamp, Sender, Recipients, MessageSubject,SourceContext,OriginalClientIP
Email send from Original Client IP = 192.168.1.201 via Webmail (ClientType:OWA)
Timestamp : 3/31/2020 5:16:47 PM
Sender : [email protected]
Recipients : {[email protected]}
MessageSubject : Re: Email Testing @516PM
SourceContext : MDB:9ccb8fb7-c1e6-4c33-b906-b3beac219182, Mailbox:9a28cbae-c77d-4fe1-8c82-aba5a2210b0a, Event:1757420, MessageClass:IPM.Note, CreationTime:2020-03-31T09:16:47.511Z, ClientType:OWA
OriginalClientIp : 192.168.1.201
Email send from Original Client IP = 192.168.1.201 via Microsoft Outlook (ClientType:MOMT)
Timestamp : 3/31/2020 9:03:15 PM
Sender : [email protected]
Recipients : {[email protected]}
MessageSubject : Email Testing from Outlook at 9:03PM
SourceContext : MDB:9ccb8fb7-c1e6-4c33-b906-b3beac219182, Mailbox:9a28cbae-c77d-4fe1-8c82-aba5a2210b0a, Event:1759867, MessageClass:IPM.Note, CreationTime:2020-03-31T13:03:15.077Z, ClientType:MOMT
OriginalClientIp : 192.168.1.120
Email send from Original Client IP = <> using Phone (ClientType:AirSync)
No Original Client IP is recorded for Email send from Phone
Timestamp : 3/31/2020 5:34:31 PM
Sender : [email protected]
Recipients : {[email protected]}
MessageSubject : Email send from phone
SourceContext : MDB:9ccb8fb7-c1e6-4c33-b906-b3beac219182, Mailbox:9a28cbae-c77d-4fe1-8c82-aba5a2210b0a, Event:1757659, MessageClass:IPM.Note, CreationTime:2020-03-31T09:34:31.400Z, ClientType:AirSync
OriginalClientIp :
Identify Source IP of SPAM In Exchange with Log Parser 2.2
Download & Install Log Parser 2.2
Parse the IIS Log Files from C:\inetpub\logs\LogFiles\W3SVC1 to C:\Temp\Output.txt which is more organized and readable format to check further
Set-Location 'C:\Program Files (x86)\Log Parser 2.2'
.\LogParser.exe "Select * INTO C:\Temp\Uutput.txt FROM C:\inetpub\logs\LogFiles\W3SVC1\u_ex200331.log"
Search for cmd=SendMail&User in cs-uri-query column to verify the source IP of the Email Send by User from Phone
Image below is prepared with some modification in Excel for ease of reference
You can also search for Cmd=SendMail in IIS Log file with PowerShell as below
Get-ChildItem -Path C:\inetpub\logs\LogFiles\W3SVC1\u_ex200331.log | Select-String -Pattern Cmd=SendMail
C:\inetpub\logs\LogFiles\W3SVC1\u_ex200331.log:21853:2020-03-31 09:34:31 192.168.1.201 POST /Microsoft-Server-ActiveSync/default.eas Cmd=SendMail&User=u001&DeviceId=f5dbb1573eec4946b601e91158982def&DeviceType=Outlook&CorrelationID=<empty>;&ClientId=ATOKPHYQULFYJGJOUPAQ&cafeReqId=8fc0d9a1-2712-42d3-883a-1e06af478da4; 443 info\u001 52.96.21.109
Outlook-iOS-Android/1.0 - 200 0 0 907