I have a machine sending out spam on my network. Message tracking in Exchange shows the source IP as the IP of my Exchange Cluster rather than the source workstation. The user's PC was off during the time when the messages were sent so it appears to have come from a different workstation, OWA or mobile device. I've checked OWA logs and the only thing to connect with his credentials has been his IPhone.
I now want to find the logs that will show me which devices (IP address) have connected to Exchange via Outlook (MAPI) but I can't seem to find this log file. I have googled and also searched through this forum before posting and have only found others with my same question – no answer.
Thanks
Best Answer
There is no feature in Exchange 2007 to do what you're looking for, specifically. Mailbox Audit Logging was added in Exchange 2010 to "beef up" the auditing capabilities on mailbox access through MAPI.
It would be unique, in my experience, to have a client submitting spam via MAPI. It's much more likely that you've allowed open relaying from either your LAN or the Internet and the messages are being relayed via SMTP. It's also possible that they're originating on the Exchange Server computer itself.
I'd setup a port-mirror of the Exchange Server computer's network interface and sniff all SMTP traffic until some of the offending traffic was recorded. I suspect you'll find the source of the messages doing that.
If you can actually get your hands on one of the offending messages look for a header similar to the following:
Messages submitted w/ MAPI would have that header in an Exchange 2007 environment.