RE: Tracking mails--Author again :)

  • From: Praveen Ramaswamy <ramaswamy_praveen@xxxxxxxxx>
  • To: "\[ExchangeList\]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 7 Jul 2005 01:15:16 -0700 (PDT)

I agree with you Rick and others who have similar approach towards virus 
prevention. Even my approach is more or less the same. However for example: 
Lets say one PC is has not patched because the user was on leave and he 
switched of the PC. And when the user returns and switch on the PC there is a 
high chance of this PC getting infected. Now if this PC is infected with virus 
and starts sending out mails people in address book then Antivirus on Exchange 
server will filter these mails. But there will be wastage of server resource to 
process this unwanted mails. Also I have set a policy that I get a notification 
if such virus mails come to the server, so I get about 50 such mail in a day. 
Currently I am facing this problem.


We have decent patch and antivirus management in place but still you know it is 
not 100 %. So given the above scenario if I get the sender host IP address it 
will be easy to identify the PC and apply the required patch through patch 


So please let me know how to do this on Exchange 2003 server. I am sure this 
will be basic feature of any Mail server but I am not able to figure out this 
on Exchange 2003. 


Best regards

Praveen R

Rick Boza <rickb@xxxxxxxxxxxxxxx> wrote:
So ? I get the idea that you want to have a response plan if one of these hits 
? you should have such a plan.  But you?re missing the boat if you really think 
that pulling a single PC off the network is the plan you should be using.  The 
whole idea behind the attack vector you are bringing up is that by the time you 
have identified and pulled that one PC ? twenty others are already infected and 
doing the same thing.  You?d need to assign one tech to unplugging NICs.  Very 
poor efficiency in an enterprise environment.

As John has said, you handle this by proactively securing your back-end 
systems, in cooperation with several other important steps.  Doing this 
prevents a single (or ten, or fifty) rogue systems from taking down that back 
end.  An ?approaches to AV? discussion can become a religious experience, but 
the basic rule I like is multiple lines of defense (defense in depth) that 
includes properly patched and secured systems at the borders, on the back-end, 
and on the desktop.  (As an aside, in my experience most religious fervor comes 
from the subject of placing an AV engine on Exchange servers or not ? 
personally I am in favor of having an Exchange AV engine in place as it adds 
one more level of defense ? and I?ll leave it at that for the moment)

The single line item you are discussing, while nominally useful, should be 
around number 45 on your list of the top 100 things to do if a virus hits.  You 
need to build your desktop and server infrastructure in such a way that a 
single infected system just, well, doesn?t matter.

On 7/6/05 3:26 AM, "John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> 
You could use the SMTP Virtual server log. However, most MM viruses use a built 
in SMTP engine and send directly to the recipient server as identified by MX 
record. The ones that do indeed use the locally configured SMTP server 
(configured in Outlook etc.) do not authenticate, so if you Exchange server is 
properly configured to force authentication before sending, that will stop 
them. Of course, in the case of the other type, you are blocking port 25 
to/from the Internet except to/from your Exchange server, correct?

John T
eServices For You

-----Original Message-----
From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx] 
Sent: Wednesday, July 06, 2005 12:01 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Tracking mails--Author again :) 

Hi John, 

For example: A PC within our network gets infected with mass mailer virus. This 
PC starts sending mails to all the users in the address book. So if i can find 
out the IP address of that PC then i can easly track it down and pull off the 

I used to do this in my privious company. We had sendmail running on HPUX and 
we could easly figure out the sender host IP. I can still trace incomming mails 
from outside world as i have sendmail sitting in the gateway. But i want to 
know how do i do this with Exchange 2003.


Praveen R

"John Tolmachoff (Lists)" <johnlist@xxxxxxxxxxxxxxxxxxx> wrote:
What is the purpose of knowing where the virus infected e-mail came from? In 
this day and age, most viruses now are using virus infected zombies to send 
their filth. Chances are if you received 50 different virus infected e-mails, 
they will come from 45 different IP addresses.

Now, if you are talking about your outgoing messages, that is the wrong way to 
find them, or I should say the least efficient way.

John T
eServices For You

-----Original Message-----
From: Praveen Ramaswamy [mailto:ramaswamy_praveen@xxxxxxxxx] 
Sent: Tuesday, July 05, 2005 7:11 AM
To: [ExchangeList]
Subject: [exchangelist] Tracking mails 


I want to track incoming and outgoing mails on my exchange 2003 server. 
Basically i want to know from which IP address the mail has arrived on exchange 
server. In case of a virus mail , anti virus quarantines the message which is 
fine, but i would like to know the host which is generating the mails. 
Basically i can check for message header in outlook options but can i find this 
info on the server it self. Message tracker doesn't give details about the host 
it has reviced the mail from. 


Praveen R 


List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as: 
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx 

 Sell on Yahoo! Auctions  - No fees. Bid on great items.

Other related posts: