Find who is mailing the entire internet from our Exchange 2007 or later ·

So my customer got banned from mailing hotmail and a few other microsoft spam protected domains. So what is the jig.

Lets start to examine the error message that we got:

SNT0-MC4-F31.Snt0.hotmail.com gave this error: SC-002 (SNT0-MC4-F31) Unfortunately, messages from 10.255.255.255 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

ell this seems a nice error with a nice error code, so lets go to the troubleshooting page. There we find the following:

Mail rejected by Outlook for policy reasons. The mail server IP connecting to Outlook has exhibited namespace mining behavior. If you are not an email/network admin please contact your Email/Internet Service Provider for help.

So we now know why we were banned.. Someone did send a lot of mails to hotmail/outlook.com that didnt exist. So that helps a little but not really. So lets use Exchange to find if anybody sent any mails with many recipients the last few days.

$track = ForEach ($server in (Get-TransportServer)){
  Get-MessageTrackingLog -ResultSize Unlimited -Start ((Get-Date).AddDays(-5)) -Server $server -EventID Send
}

Nice now we have all messages from the last few days in a nice variable.. So who many mails have been sent to more than 100 persons?

[PS] C:>$track | ? {$_.RecipientCount -gt 100}

EventId  Source   Sender                            Recipients                        MessageSubject
-------  ------   ------                            ----------                        --------------
SEND     SMTP     automatic@someplace.example.co... {recipient1232@example.com, re... One of may legit mails.
SEND     SMTP     somejoe@example.com               {recipient7322@example.com, re... Another legit mail
SEND     SMTP     anotherjoe@example.com            {recipient6242@example.net, re... This one too is a legit mail
^C

Okey that didnt go as planed. So we need to see how many people were on each mail:

$track | ? {$_.RecipientCount -gt 10} | Format-Table -Auto Sender, RecipientCount

Sender                          RecipientCount
------                          --------------

automatic@someplace.example.com            102
somejoe@example.com                        203
anotherjoe@example.com                     105
creep@example.com                          100
moreaddresses@example.com                  120
last@example.com                           300

Looks like we found our creep that got us banned.. So just for sake of being immaculate, lets see just the ones with more than 100 and a hotmail recipient:

$track | ? {$_.RecipientCount -gt 10 -and $_.recipients -like '*@hotmail.*'} | Format-Table -Auto Sender, RecipientCount

Sender                          RecipientCount
------                          --------------

automatic@someplace.example.com            102
last@example.com                           300

So there we have it, problem solved. And for once it wasnt the creep, not even a feature creep.