I’ve had issues where one of our users will claim that they do not receive any emails from an outside domain. Internally, the email will get sent out and the user confirms with the external user at a different company, via the phone, that they received the email. But when that particular user at a different company sends an incoming email it never makes it.
It left me stump for a couple of days but we have to think about how an email message should be received normally. If email is sending and receiving normally for all other domains then why is it that one domain is not getting through?
One reason could be that you have enabled the Exchange 2007 anti-spam features. The way Exchange 2007 filters emails is through their anti-spam content filtering, ip allow list, ip block list, recipient filtering, etc. There are many factors that can contribute.
To narrow down the possibilities we have to look into Exchange 2007′s logs.
The log in which Exchange 2007 uses for anti-spam rules is called the Agent Log. It is located in:
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog
When you open a file in notepad you’ll be overwhelmed in it’s hard-to-read format. The logs themselves are organized by date:
AgentLogYYYYmmDD-x.LOG
The way Exchange 2007 logs each message filtered through the anti-spam set is:
2009-09-09T17:45:35.501Z,08CBFA7E172A6F22,your-mail-server-ip:25,sending-server-ip:2929, sending-server-ip,,nightgownszs32@rainbowquartz.com,,ozg@domain.com,1,Connection Filtering Agent,OnRcptCommand,RejectCommand,550 5.7.1 Your machine has been identified as malicious and all messages will be rejected from your server. Please contact your e-mail administrator.,BlockListProvider,Spam Haus,
It’s not very easy to read but in the front is the date trailed by the message id, your mail server internal ip and port number, sending server ip and port number, sending server ip, sending email address, recipient email address.
After that bit of information it will list the reason why it failed to enter your domain. In this example I am using Spam Haus as an IP Block list which just drops the email and thus never makes it into our network.
There is a way to refine your search so you wouldn’t have to spend hours looking through that messy log. Open up the powershell in Exchange and use this command or alter it to your liking:
Get-AgentLog -StartDate "mm/dd/yyyy" -EndDate "mm/dd/yyyy" -location "location of logs" | where
{$_.P1FromAddress -like "*domain.com" -or $_.P2FromAddress -like "*domain.com"} > agentlog.txt
Get-AgentLog - The start of the command that grabs data from the anti-spam logs
-StartDate “mm/dd/yyyy” - This helps to refine your search to start searching from a specific date. I believe Exchange 2007 keeps these particular logs for 30 days and just starts over.
-EndDate “mm/dd/yyyy” - Specify an end date to end the search.
-location - This is where the logs are located. In this case it is C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog
where {$_.P1FromAddress -like “*domain.com” -or $_.P2FromAddress -like “*domain.com”} - This says to look for logs that pertain to anything from domain.com. If you’re looking for a specific sender you can replace *domain.com with “user@domain.com”
> agentlog.txt – simply makes the output from the command into a text file called agentlog.txt in my home folder.
With that command you get a nicely formatted report:
Timestamp : 9/4/2009 6:58:16 AM
SessionId : 08CBFA7E17292AB3
IPAddress : 11.11.11.11
MessageId : <4AA0D681.DB2D.0034.1@domain.com>
P1FromAddress : user@domaina.com
P2FromAddresses : {user@domaina.com}
Recipients : {user@domainb.net}
Agent : Content Filter Agent
Event : OnEndOfData
Action : DeleteMessage
SmtpResponse :
Reason : SclAtOrAboveDeleteThreshold
ReasonData : 9
Diagnostics : DV:3.3.7929.600;SID:SenderIDStatus Pass;CW:CustomList
Take notice of the Reason and ReasonData from the report above. The SCL rating is at 9. SCL is the Spam Confidence Level and on my Exchange Server, an email SCL of 9 is automatically deleted.
So since this user is a legitimate sender and we do business with them, I had to manually add their email server IP to our IP Allow List. In Powershell you simply type:
Add-IPAllowListEntry -ipaddress x.x.x.x
Where x.x.x.x is the sender’s email server IP address.
Related posts:
- Exchange 2007 & Backup Exec 12d Failed Backups
- Windows Server 2003 Event ID 1030 & 1058
- How To Fix Event ID’s 1030 & 1058 [ALTERNATIVE]
- Find Your Mailbox Size in Outlook 2007
