Find who is mailing the entire internet from our Exchange 2007 or later

So my customer got banned from mailing hotmail and a few other microsoft spam protected domains. So what is the jig.

Lets start to examine the error message that we got:

Well this seems a nice error with a nice error code, so lets go to the troubleshooting page. There we find the following:

So we now know why we were banned.. Someone did send a lot of mails to hotmail/outlook.com that didnt exist. So that helps a little but not really. So lets use Exchange to find if anybody sent any mails with many recipients the last few days.

Nice now we have all messages from the last few days in a nice variable.. So who many mails have been sent to more than 100 persons?

Okey that didnt go as planed. So we need to see how many people were on each mail:

Looks like we found our creep that got us banned.. So just for sake of being immaculate, lets see just the ones with more than 100 and a hotmail recipient:

So there we have it, problem solved. And for once it wasnt the creep, not even a feature creep.
If you are having problems copying the commands please see the following file here.

Comments

  1. Kutub says:

    do above powershell commands needs any modification ie server names or locations?
    i am getting error “Missing ‘)’ in method call. At line:1 char:127”
    I m new to powershell!!

    • virot says:

      Hi.
      Im not sure why but there were some junk in a command that I removed. If it was the Get-MessageTrackingLog that gave you the error, it might work now. Otherwise which command is giving you the problem?

  2. mark says:

    having the same issue here but can’t find the culprit. Can you send me your script from here I am not able to see all of your commands.

    • virot says:

      Hi I added a text file with the commands if you are having problems with the javescript that is doing the commands.

  3. AtMos says:

    Very helpful.
    Happy New Year

  4. Muhammad Haseeb says:

    Hi,
    can you please let me know how i run these command on exchange 2003 (OS server 2003)

    i have just installed KB968930 and run power shell

    Please guide me.

    Haseeb

    • virot says:

      Hi Haseeb,
      Im sorry to say that this will only work on Exchange 2007 or later. I think you will need to google for an older solution.
      Extended Support End Date for Exchange 2003 is set at April 8, 2014.

  5. Muhammad Haseeb Ullah says:

    Hi Virot,

    Ok but can you please advice how we can cope with name space mining issue in Exchnage 2003 server as Microsoft blocked all email that was sent from us.

    any workarround.

    Regards
    Haseeb

  6. Rudi Antos says:

    Hello,

    I guess I don’t understand what the problem was or how you fixed it?

    Thanks,
    Rudi

    • virot says:

      Hi.

      Well the problem is usually that somebody within your organization sends a large amount of mail to non existing @hotmail addresses. This triggers the block I faced and I guess the one you searched to get here. This block usually lasts for 2 – 3 days. But if you have an hijacked mail address you will get blocked again and again. Therefor it is important to find which user that sent large amounts of mail to hotmail/live etc.. My suggestion is just to change the password, that usually stops new blocks from happening given the account was hijacked.

Leave a Reply