-1

Is there a way to view authenticated SMTP Sessions?

We are getting lots of SMTP traffic in our tracking logs at odd hours of the day. What I'd like to do is to see which user(s) are sending SMTP messages during those hours.

Is this possible?

After enabling logging on the receive connector, this is a typical transaction. But there is no SMTP user listed...

Receive Connector - SERVER01,08D0E9538D1F8114,0,10.1.1.251:25,109.154.177.81:3983,+,, 2014-01-28T12:44:18.548Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,1,10.1.1.251:25,109.154.177.81:3983,,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions 2014-01-28T12:44:18.548Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,2,10.1.1.251:25,109.154.177.81:3983,>,"220 mailgate.ourserver.co.uk Microsoft ESMTP MAIL Service ready at Tue, 28 Jan 2014 12:44:17 +0000", 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,3,10.1.1.251:25,109.154.177.81:3983,<,EHLO host109-157-239-12.range109-157.btcentralplus.com, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,4,10.1.1.251:25,109.154.177.81:3983,>,250-mailgate.ourserver.co.uk Hello [109.154.177.81], 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,5,10.1.1.251:25,109.154.177.81:3983,>,250-SIZE, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,6,10.1.1.251:25,109.154.177.81:3983,>,250-PIPELINING, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,7,10.1.1.251:25,109.154.177.81:3983,>,250-DSN, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,8,10.1.1.251:25,109.154.177.81:3983,>,250-ENHANCEDSTATUSCODES, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,9,10.1.1.251:25,109.154.177.81:3983,>,250-AUTH, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,10,10.1.1.251:25,109.154.177.81:3983,>,250-8BITMIME, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,11,10.1.1.251:25,109.154.177.81:3983,>,250-BINARYMIME, 2014-01-28T12:44:18.570Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,12,10.1.1.251:25,109.154.177.81:3983,>,250 CHUNKING, 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,13,10.1.1.251:25,109.154.177.81:3983,<,MAIL FROM:, 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,14,10.1.1.251:25,109.154.177.81:3983,,08D0E9538D1F8114;2014-01-28T12:44:18.548Z;1,receiving message 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,15,10.1.1.251:25,109.154.177.81:3983,<,RCPT TO:, 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,16,10.1.1.251:25,109.154.177.81:3983,<,DATA, 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,17,10.1.1.251:25,109.154.177.81:3983,>,250 2.1.0 Sender OK, 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,18,10.1.1.251:25,109.154.177.81:3983,>,250 2.1.5 Recipient OK, 2014-01-28T12:44:18.600Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,19,10.1.1.251:25,109.154.177.81:3983,>,354 Start mail input; end with ., 2014-01-28T12:44:22.910Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,20,10.1.1.251:25,109.154.177.81:3983,*,Tarpit for '0.00:00:04.138' due to 'DelayedAck',Delivered 2014-01-28T12:44:22.910Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,21,10.1.1.251:25,109.154.177.81:3983,>,250 2.6.0 [InternalId=687815] Queued mail for delivery, 2014-01-28T12:44:22.958Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,22,10.1.1.251:25,109.154.177.81:3983,<,QUIT, 2014-01-28T12:44:22.958Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,23,10.1.1.251:25,109.154.177.81:3983,>,221 2.0.0 Service closing transmission channel, 2014-01-28T12:44:22.959Z,SERVER01\Default Internet Receive Connector - SERVER01,08D0E9538D1F8114,24,10.1.1.251:25,109.154.177.81:3983,-,,Local

alcomcomputing
  • 150
  • 1
  • 3
  • The Receive Connector log is going to show messages sent from your authenticated users and it's going to show messages sent from external senders to your organization, so you're going to have to wade through the log to differentiate the two. What type of SMTP activity are you suspicious of? Can you provide some details or log entries? – joeqwerty Jan 29 '14 at 19:34
  • The above is a typical suspicious activity. It was submitted to our server by an authenticated user. I am trying to detect which of our user accounts was used to submit this email. The email is in our outbound queue as the destination domain does not exist. – alcomcomputing Jan 30 '14 at 09:07

1 Answers1

2

You can enable SMTP logging (disabled by default) and then view the actual SMTP transactions themselves. Sure.

See here: http://exchangepedia.com/2007/05/exchange-server-2007-logging-smtp-protocol-activity.html

Enable protocol logging on a Receive Connector

To enable protocol logging on Receive Connectors, use the following command:

Set-ReceiveConnector “Connector Name” -ProtocolLoggingLevel verbose

Enable protocol logging on a Send Connector

Unlike Exchange Server 2003/2000, you have to enable logging separately for Send Connectors (used to send mail outside the Exchange organization, Send Connectors are equivalent of SMTP Connectors in Exchange 2003/2000), using the following command:

Set-SendConnector “Send Connector Name” -ProtocolLoggingLevel verbose

Besides the visible Receive and Send connectors, an invisible Send Connector lurks under the hood – used to transport messages within the organization, between Hub Transport servers, Edge Transport servers, and Exchange Server 2003/2000 servers. It’s the Intra-Organization Send Connector. You won’t see it in the console, or in the shell if you use the get-SendConnector command. To configure protocol logging for this Intra-Organization Send Connector:

Set-TransportServer “TRANSPORT SERVER NAME” -IntraOrgConnectorProtocolLoggingLevel verbose

Receive Connector logs are located in:

Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive

Send Connector logs are located in:

Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpSend

Credit given to the author of the link in question: by Bharat Suneja on May 3, 2007

TheCleaner
  • 32,627
  • 26
  • 132
  • 191