How to determine the sender address of mail sent to an invalid recipient
Last Updated September 30, 2011
You are seeing email addressed to invalid recipients and you want to know the email address of the sender.
The sender information is only available through message audit logs. Note that the sender data may not always be recorded, and when it is it will often be incorrect. Most invalid recipient instances are spam that is likely to have a spoofed From address - the sender can provide any arbitrary From address they want. However it will show the IP address of the machine that attempted the delivery. Assuming there are no other upstream servers in your environment that IP should be the correct IP of the sender.
You can obtain the information as follows:
1. Open the SMG interface and go to Status. 2. In the left column, select Message Audit Logs. 3. Select the correct Host (your SMG server). 4. Set Mandatory Filter to 'Recipient'. 5. Set Mandatory Filter Value to your domain, for example 'symantec.com' (without the quotes). 6. Set Optional Filter to 'Action taken'. 7. Set Option Filter Value to 'Reject invalid recipients'. 8. Set the Time range as needed. 9. Click the 'Display Filtered' button.
Once the results are displayed you can click on the 'To' item in each row to see more details. You can also export the results to CSV using the 'Export CSV' button.
The amount of information available for these emails will be severely limited, since they are rejected very early in the conversation and the actual email has not yet been transferred in almost all cases. So all you are likely to see is the intended recipient, the sender (as claimed by the sending server) and the IP address of the server that tried to hand this mail to SMG.
Imported Document ID: TECH166495
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe