Monday, 30 November 2015

Exchange - What type of client sent an email?

Introduction


In this post, I'll show you how to work out which client was used to send a particular email by using the Message Tracking Logs in Exchange 2010, Exchange 2013 or Exchange 2016. See below.


Message Tracking Logs


In the message tracking logs, there is a SourceContext field which reports the ClientType property for SUBMIT events. SUBMIT events are where the Mailbox Transport Submission service passes on a message to the Transport service, i.e. when the Exchange server picks up the email from the mailbox outbox and passes it on for delivery. 

There's no SUBMIT event when an external sender sends an email to one of your users. This means that there's no ClientType property for these emails. 

To do some testing, I sent emails using ActiveSync, OWA and Outlook and then did some message tracking to see what I could find.


ActiveSync


In this example email, I’ve sent an email using ActiveSync (with the subject ActiveSync) and you can see the message tracking log output shows the ClientType as AirSync highlighted at the bottom:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject ActiveSync | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image

Outlook Web Access


Emails sent using OWA has a ClientType of OWA. That’s good. That makes sense:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject OWA | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image

Outlook


As for Outlook, the ClientType came up as Outlook right? Ahem. No. MOMT. MOMT is MAPI on the Middle Tier which basically includes clients that connect using Outlook or any other application that connects using RPC/HTTP or MAPI/HTTP. See below:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject "Outlook 2253" | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image

Windows 10 Mail App


If you haven’t yet come across this, you’ll soon find out that it connects using ActiveSync. See below:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject "Windows 10 Mail" | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image


Monitoring emails


Monitoring emails also have a ClientType and this is Monitoring. See below:

Get-MessageTrackingLog -Start "11/25/2015 21:00" -MessageId 07f6a25a51914f1cac5ed1ec244caabd@litex01.litwareinc.com | fl TimeStamp,Sender,Recipients,SourceContext

image

Get client type for an email


I’ve written a small PowerShell function that you can use to pipe your message tracking log into and it will give you a more user friendly output. Instructions for use are below:

1 - Copy this PowerShell function into your Exchange Management Shell window:

function Get-MessageClientType
    {
        $MessageTrackingLog = @($input) | ? {$_.SourceContext -match "ClientType"}
        $Output = @()
        foreach ($Message in $MessageTrackingLog)
            {
                $ClientType = $Message.SourceContext -split "," | ? {$_ -match "ClientType"}
                $ClientType = $ClientType -replace (" ClientType:","")             
                $OutputLine = New-Object System.Object
                $OutputLine | Add-Member -Type NoteProperty -Name TimeStamp -Value $Message.TimeStamp
                $OutputLine | Add-Member -Type NoteProperty -Name Sender -Value $Message.Sender
                $OutputLine | Add-Member -Type NoteProperty -Name Recipients -Value $Message.Recipients
                $OutputLine | Add-Member -Type NoteProperty -Name MessageSubject -Value $Message.MessageSubject
                $OutputLine | Add-Member -Type NoteProperty -Name ClientType -Value $ClientType
                $Output += $OutputLine
            }
        $Output
    }


2 - Use Get-MessageTrackingLog to get the messages you need and then pipe it into Get-MessageClientType to get the ClientType. See below:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -Recipients administrator@litwareinc.com -ResultSize Unlimited | Get-MessageClientType | ft

image

You can also use this command to get all the emails sent using one of the client types. See below for how to get just the emails sent using ActiveSync clients: 

Get-MessageTrackingLog -Start "11/24/2015 10:00" -Recipients administrator@litwareinc.com -ResultSize Unlimited | Get-MessageClientType | ? {$_.ClientType -eq "AirSync"} | ft


Conclusion


In this post, we've gone through how to identify whether an email was sent using Outlook, OWA or ActiveSync. This should prove to be quite useful when troubleshooting users' email issues. 

No comments:

Post a Comment