No announcement yet.

Exchange 2003 message tracker showing event id 1031 for spam.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 message tracker showing event id 1031 for spam.

    Hi everybody,

    Main question: Is there a way to track connections internally to the exchange server? Is there a way to log internal ip addresses of clients using outlook 2003 everytime they connect to exchange?

    These junk email messages are making it out of my exchange server. I am pretty sure that my exchange server is not a relay after multiple
    verifications. I am suspecting it to be a mass mailer trojan virus. However, I have no clue how to find out which workstation is infected.
    The message tracker for exchange 2003 only shows information on the client ip and that always shows an external one. But I am sure after
    careful review that it is coming from internal. Is there another method of tracking from internal client to internal mail server connections? My company uses outlook 2003 and i checked everybody's sent items folder and there were no emails that were sent out with those message headers. Here is an example of the message tracking logs:

    3/28/2006 0:10:12 GMT -1211838264 TOREADOR 1031 3 0 2017 16 2006-3-28 0:9:20 GMT 0 Version: 6.0.3790.1830 - International Legal RX

    What solutions are there on how to find out which possibly infected internal computer the spam is originating from. I can't seem to find that information in the logs of the exchange server and windows server. Any help would be great. I also have tried doing a full sweep using symantec anti-virus to see if there were any computers that were infected but that came out to be negative. Thank you in advance.
    Last edited by klimax; 28th March 2006, 17:43. Reason: Not specific enough

  • #2
    Re: Exchange 2003 message tracker showing event id 1031 for spam.

    Your best bet might be to uplink a hub to your switch and put a packet sniffer on it. I've used a free one called Ethereal. While not very user friendly, it will yield some results. You can categorize traffic by smtp, ipx, tcp/ip, etc. If you use this method, one category will likely jump out at you as having heavy traffic. Be sure and use a hub. You'll be unable to utilize a packet sniffer on a switch unless all the ports are in promiscuous mode.