IP Addresses are sometimes not shown in Anti-Spam log (get-agentlog). Why?

  • Article

We have the following scenario: Exchange 2007 in place and Anti-Spam agents enabled on your HUB Servers. OK that’s fine, great move. During your normal administrative operations you come at the point where you have to check the Anti-Spam logs. So you open EMS, enter get-agentlog and... you discover that not all of your logged informations contain the IP address of the sending entity. Like in following example:

[PS] C:\Windows\System32>get-agentlog
Timestamp : 2/8/2010 5:01:49 PM
SessionId : 08CC76E6A839D299
IPAddress : 10.10.10.250
MessageId : < 60a5876e-2ecb-4e77-b367-48ff2c24fd24@EX2K7.mara.mix >
P1FromAddress : uwe@gmx.de
P2FromAddresses : {uwe@gmx.de }
Recipients : {laura@mara.mix }
Agent : Content Filter Agent
Event : OnEndOfData
Action : AcceptMessage
SmtpResponse :
Reason : SCL
ReasonData : 6
Diagnostics :

Timestamp : 2/8/2010 5:03:40 PM
SessionId : 08CC76E6A839D29A
IPAddress :
MessageId : < 5167f33d-2541-44b2-bb9f-91e4c088d1d4@EX2K7.mara.mix >
P1FromAddress : holger@aol.de
P2FromAddresses : {holger@aol.de }
Recipients : {laura@mara.mix }
Agent : Content Filter Agent
Event : OnEndOfData
Action : AcceptMessage
SmtpResponse :
Reason : SCL
ReasonData : 6
Diagnostics :

 

Why, would be your first question. There are other logged informations there which shows up all the required fields and values. Some of you might get curious about this, some could get even worried. Btw. the behavior was „reproduced” on W2K8 SP2 and EX2K7 SP2.

So you might see this as a problem. As a matter of fact I had one of my customers, who raise this as a problem and he demand at least an explanation. Let’s have this behavior explained.

At the beginning I was curious, why not all of the logged information’s in Anti-Spam Log were “affected“ about this. So I filter out some Anti-Spam logs and I’ve get the conclusions that only specific sending systems were not logged in with their IP addresses. Particular my customer had his environment set up with 2 CAS and HUB Server on NLB. I’ve tested it and could shortly exclude NLB solution as a reason for this behavior.

Based on further research I discovered that the corresponding field (IPAddress) is filled under two conditions:

1. Either if the HUB Servers get the corresponding information when the session is established, so with other words only when this information is available through the session connection.

2. The second possibility is to fill out the IPAddress field or bypass it based on the evaluation which is done with the Transport Settings, particular regarding the InternalSMTPServer parameter.

On the EMS à Organization level, on HUBà Global Settings à Transport Settings à Properties à on the “Message Delivery” tab you will find the place where you can configure the “Enter the IP addresses of internal SMTP servers. This IP addresses will be ignored by Sender ID and connection filtering”. Pretty obvious isn’t it? J

This setting corresponds in Power Shell to the Get-TransportConfig cmdlet:

[PS] C:\Windows\System32>Get-TransportConfig

ClearCategories : True
ConvertDisclaimerWrapperToEml : False
DSNConversionMode : UseExchangeDSNs
GenerateCopyOfDSNFor : {5.4.8, 5.4.6, 5.4.4, 5.2.4, 5.2.0, 5.1.4}
InternalSMTPServers : {10.10.10.250}
JournalingReportNdrTo : <>
MaxDumpsterSizePerStorageGroup : 18MB
MaxDumpsterTime : 7.00:00:00
MaxReceiveSize : 10MB
MaxRecipientEnvelopeLimit : 5000
MaxSendSize : 10MB
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
VerifySecureSubmitEnabled : False
VoicemailJournalingEnabled : True
HeaderPromotionModeSetting : NoCreate
WritingBrandingInDSNEnabled : True
Xexch50Enabled : True

Let’s summarize: we discover that in our enabled Anti-Spam log, not all IP addresses are showed as expected. Here in my example I reproduce the problem and you can observe that only mails which came from the 10.10.10.250 IP address are not showed up in the Anti-Spam log.

What does it mean actually InternalSMTPServer? By default all sending mails systems to en Exchange 2007 organization are handled as External. But there are scenarios where you, as an administrator, administer not only your Exchange organization, but also, for example, one or more smart-hosts. All incoming mail flow would come through these smart-hosts and because this, you don’t want the Anti-Spam agents to evaluate your incoming mails that came through smart-hosts, but rather the initial or the relay server which are sending to the smart-hosts. Considering this you will need to instruct Exchange to handle the “foreign” (foreign for Exchange) sending systems as Internal, which would allow then to your Anti-Spam agents to evaluate also the corresponding initial IP addresses of the sender. Another scenario in which you would configure the InternalSMTPServer is in organizations with one or more allowed relay systems configured.

To conclude the behavior is normal: Anti-Spam agents will ignore the internal sending systems regarding the IP address, but will do his job on all mails which came through regardless from which he receives them. If you need to have all IP addresses listed in the Anti-Spam log, then you need to exclude all particular IP addresses as InternalSMTPServer. Like in following example configuration (actually the default one):

[PS] C:\Windows\System32>Get-TransportConfig

ClearCategories : True
ConvertDisclaimerWrapperToEml : False
DSNConversionMode : UseExchangeDSNs
GenerateCopyOfDSNFor : {5.4.8, 5.4.6, 5.4.4, 5.2.4, 5.2.0, 5.1.4}
InternalSMTPServers : {}
JournalingReportNdrTo : <>
MaxDumpsterSizePerStorageGroup : 18MB
MaxDumpsterTime : 7.00:00:00
MaxReceiveSize : 10MB
MaxRecipientEnvelopeLimit : 5000
MaxSendSize : 10MB
TLSReceiveDomainSecureList : {}
TLSSendDomainSecureList : {}
VerifySecureSubmitEnabled : False
VoicemailJournalingEnabled : True
HeaderPromotionModeSetting : NoCreate
WritingBrandingInDSNEnabled : True
Xexch50Enabled : True