Interrogate SMTP Logs

This guide assumes you are running Exchange 2010, although should work with other versions. The Excel specific information assumes you have Excel 2010 on your workstation.

The first step is retrieving the SMTP logs. They are stored on your Hub Transports servers, and by default they are located at C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive\

I usually copy the logs to a workstation so as not to affect anything on the server. The next step is to interrogate the logs to find devices that are using your servers as open relay. To do so:

1. Open Excel.

2. File > Open > Select File > Open

3. Change type to All Files (*.*)

4. Delimited > Next

5. Then Chose options as below

SMTPLogs

6. Hit Finish.

7. Add a filter on the 5th row. (Home > Sort & Filter > Filter)

8. On Context (Column I) change filter so only EHLO and HELO entries show up. Sort column A to Z.

The IP of relaying device can be viewed from remote-endpoint column (F)

Posted in Guides Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *

*