Identify Source IP of SPAM In Exchange Server

Steps to identify Source IP of SPAM in Exchange Server after we had resolved a outbound SPAM Mail issue

Check Message Queue and Stop the Spam

Verify the Queue with Get-Queue and noticed that user ([email protected]) is sending out Email with 300 recipients continuously

# List all Queue 
Get-Queue 
# List only Queue for External Email 
Get-Queue -Exclude Internal
# List all the Email Message in particular queue 
$SpamMail = Get-Queue -Exclude Internal | Get-Message | ? FromAddress -eq "[email protected]"
$SpamMail.Recipients.Count
300

The fastest solution is to modify the Maximum Recipients per Email from 500 (default) to 30 in TransportConfig

Set-TransportConfig -MaxRecipientEnvelopeLimit 30

Refer to Documentation from Microsoft on Set-TransportConfig for more detail information

There is no more new outbound SPAM Mail now, and we have to manually suspend & delete existing SPAM Email without NDR (Non Delivery Report) in the Queue

# Suspence Email in Queue 
Get-Queue -Identity "IB-MBX02\7" | Get-Message | ? FromAddress -eq "[email protected]" | Suspend-Message
# Delete Email without NDR 
Get-Queue -Identity "IB-MBX02\7" | Get-Message | ? FromAddress -eq "[email protected]" | Remove-Message --WithNDR $false

Please refer to the steps below to identify the source of the SPAM mail from

Verify SMTP Logs In Hub Transport Server

Download & Install Exchange SMTP Log Viewer to analyst the SMTP Communication with GUI

Log Files for Receive Connector

  • C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpReceive

Log Files for Send Connector

  • C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\ProtocolLog\SmtpSend

However, it seem like Client IP Address is NOT recorded in SMTP Log Files

Identify Source IP of SPAM In Exchange

Identify Source IP of SPAM In Exchange with Get-MessageTrackingLog

Refer to my previous posts on Message Tracking Log with PowerShell for more example

Verify the source of the SPAM mail with Get-MessageTrackingLog by checking on Event ID = SUBMIT

$Sender = "[email protected]"
Get-MessageTrackingLog -Start (Get-Date).AddDays(-1) -Sender $Sender | ? EventID -like "SUBMIT" | Select TimeStamp, Sender, Recipients, MessageSubject,SourceContext,OriginalClientIP 

Email send from Original Client IP = 192.168.1.201 via Webmail (ClientType:OWA)

Timestamp        : 3/31/2020 5:16:47 PM
Sender           : [email protected]
Recipients       : {[email protected]}
MessageSubject   : Re: Email Testing @516PM
SourceContext    : MDB:9ccb8fb7-c1e6-4c33-b906-b3beac219182, Mailbox:9a28cbae-c77d-4fe1-8c82-aba5a2210b0a, Event:1757420, MessageClass:IPM.Note, CreationTime:2020-03-31T09:16:47.511Z, ClientType:OWA
OriginalClientIp : 192.168.1.201

Email send from Original Client IP = 192.168.1.201 via Microsoft Outlook (ClientType:MOMT)

Timestamp        : 3/31/2020 9:03:15 PM
Sender           : [email protected]
Recipients       : {[email protected]}
MessageSubject   : Email Testing from Outlook at 9:03PM
SourceContext    : MDB:9ccb8fb7-c1e6-4c33-b906-b3beac219182, Mailbox:9a28cbae-c77d-4fe1-8c82-aba5a2210b0a, Event:1759867, MessageClass:IPM.Note, CreationTime:2020-03-31T13:03:15.077Z, ClientType:MOMT
OriginalClientIp : 192.168.1.120

Email send from Original Client IP = <> using Phone (ClientType:AirSync)

No Original Client IP is recorded for Email send from Phone

Timestamp        : 3/31/2020 5:34:31 PM
Sender           : [email protected]
Recipients       : {[email protected]}
MessageSubject   : Email send from phone 
SourceContext    : MDB:9ccb8fb7-c1e6-4c33-b906-b3beac219182, Mailbox:9a28cbae-c77d-4fe1-8c82-aba5a2210b0a, Event:1757659, MessageClass:IPM.Note, CreationTime:2020-03-31T09:34:31.400Z, ClientType:AirSync
OriginalClientIp : 

Identify Source IP of SPAM In Exchange with Log Parser 2.2

Download & Install Log Parser 2.2

Parse the IIS Log Files from C:\inetpub\logs\LogFiles\W3SVC1 to C:\Temp\Output.txt which is more organized and readable format to check further

Set-Location 'C:\Program Files (x86)\Log Parser 2.2'
.\LogParser.exe "Select * INTO C:\Temp\Uutput.txt FROM C:\inetpub\logs\LogFiles\W3SVC1\u_ex200331.log"

image-20200331235844881

Search for cmd=SendMail&User in cs-uri-query column to verify the source IP of the Email Send by User from Phone

Image below is prepared with some modification in Excel for ease of reference

image-20200401000706546

You can also search for Cmd=SendMail in IIS Log file with PowerShell as below

Get-ChildItem -Path C:\inetpub\logs\LogFiles\W3SVC1\u_ex200331.log | Select-String -Pattern Cmd=SendMail

C:\inetpub\logs\LogFiles\W3SVC1\u_ex200331.log:21853:2020-03-31 09:34:31 192.168.1.201 POST /Microsoft-Server-ActiveSync/default.eas Cmd=SendMail&User=u001&DeviceId=f5dbb1573eec4946b601e91158982def&DeviceType=Outlook&CorrelationID=<empty>;&ClientId=ATOKPHYQULFYJGJOUPAQ&cafeReqId=8fc0d9a1-2712-42d3-883a-1e06af478da4; 443 info\u001 52.96.21.109 
Outlook-iOS-Android/1.0 - 200 0 0 907

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top