Monday, 30 November 2015

Exchange - What type of client sent an email?

Introduction


In this post, I'll show you how to work out which client was used to send a particular email by using the Message Tracking Logs in Exchange 2010, Exchange 2013 or Exchange 2016. See below.


Message Tracking Logs


In the message tracking logs, there is a SourceContext field which reports the ClientType property for SUBMIT events. SUBMIT events are where the Mailbox Transport Submission service passes on a message to the Transport service, i.e. when the Exchange server picks up the email from the mailbox outbox and passes it on for delivery. 

There's no SUBMIT event when an external sender sends an email to one of your users. This means that there's no ClientType property for these emails. 

To do some testing, I sent emails using ActiveSync, OWA and Outlook and then did some message tracking to see what I could find.


ActiveSync


In this example email, I’ve sent an email using ActiveSync (with the subject ActiveSync) and you can see the message tracking log output shows the ClientType as AirSync highlighted at the bottom:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject ActiveSync | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image

Outlook Web Access


Emails sent using OWA has a ClientType of OWA. That’s good. That makes sense:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject OWA | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image

Outlook


As for Outlook, the ClientType came up as Outlook right? Ahem. No. MOMT. MOMT is MAPI on the Middle Tier which basically includes clients that connect using Outlook or any other application that connects using RPC/HTTP or MAPI/HTTP. See below:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject "Outlook 2253" | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image

Windows 10 Mail App


If you haven’t yet come across this, you’ll soon find out that it connects using ActiveSync. See below:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -MessageSubject "Windows 10 Mail" | fl TimeStamp,Sender,Recipients,MessageSubject,SourceContext

image


Monitoring emails


Monitoring emails also have a ClientType and this is Monitoring. See below:

Get-MessageTrackingLog -Start "11/25/2015 21:00" -MessageId 07f6a25a51914f1cac5ed1ec244caabd@litex01.litwareinc.com | fl TimeStamp,Sender,Recipients,SourceContext

image

Get client type for an email


I’ve written a small PowerShell function that you can use to pipe your message tracking log into and it will give you a more user friendly output. Instructions for use are below:

1 - Copy this PowerShell function into your Exchange Management Shell window:

function Get-MessageClientType
    {
        $MessageTrackingLog = @($input) | ? {$_.SourceContext -match "ClientType"}
        $Output = @()
        foreach ($Message in $MessageTrackingLog)
            {
                $ClientType = $Message.SourceContext -split "," | ? {$_ -match "ClientType"}
                $ClientType = $ClientType -replace (" ClientType:","")             
                $OutputLine = New-Object System.Object
                $OutputLine | Add-Member -Type NoteProperty -Name TimeStamp -Value $Message.TimeStamp
                $OutputLine | Add-Member -Type NoteProperty -Name Sender -Value $Message.Sender
                $OutputLine | Add-Member -Type NoteProperty -Name Recipients -Value $Message.Recipients
                $OutputLine | Add-Member -Type NoteProperty -Name MessageSubject -Value $Message.MessageSubject
                $OutputLine | Add-Member -Type NoteProperty -Name ClientType -Value $ClientType
                $Output += $OutputLine
            }
        $Output
    }


2 - Use Get-MessageTrackingLog to get the messages you need and then pipe it into Get-MessageClientType to get the ClientType. See below:

Get-MessageTrackingLog -Start "11/24/2015 10:00" -Recipients administrator@litwareinc.com -ResultSize Unlimited | Get-MessageClientType | ft

image

You can also use this command to get all the emails sent using one of the client types. See below for how to get just the emails sent using ActiveSync clients: 

Get-MessageTrackingLog -Start "11/24/2015 10:00" -Recipients administrator@litwareinc.com -ResultSize Unlimited | Get-MessageClientType | ? {$_.ClientType -eq "AirSync"} | ft


Conclusion


In this post, we've gone through how to identify whether an email was sent using Outlook, OWA or ActiveSync. This should prove to be quite useful when troubleshooting users' email issues. 

10 comments:

  1. Thanks for Sharing your experience with Us...!
    Interesting and beautiful blog lovely presentation thanks for sharing your views.

    For query related to Microsoft Outlook Tech Support Number, please follow the link.

    ReplyDelete
  2. Dude this is golden!!! Well done and thanks for this.

    ReplyDelete
  3. Dude this is golden!!! Well done and thanks for this.

    ReplyDelete
  4. Dude this is golden!!! Well done and thanks for this.

    ReplyDelete

  5. •★INTEGRATED HACKS★•


    Are You Seeking For A LEGIT PROFESSIONAL HACKER Who Will Get Your Job Done Efficiently With Swift Response?? CONGRATULATIONS, Your Search Ends Right Here.

    ★ ABOUT US
    • We are a Team Of Professional HACKERS , a product of the coming together of renowned Hackers from the Dark-Web (pentaguard, CyberBerkut, Grey Hat and Black Hat,)that have seen how data and information is been stolen and spoofed and are willing to help the helpless. We have been existing for over 8 years, our system is a very strong and decentralized command structure that operates on ideas and directives.

    ★ JOB GUARANTEE:
    Whenever We Are being hired, We typically only take jobs that We find somewhat original, challenging, or especially helpful to the community. We’ve never wanted to sit around defending some video game company’s source code from network intruders – We prefer to help nonprofits, private investigators, Private Individuals, government contractors, and other traditionally underserved populations.
    And We’d rather match skills against the best in the field of state-sponsored hackers engaged in economic espionage than put some kid in prison for pranking the phone company. When a company tries to hire Us, the first question we ask is: “Who is this going to help?”
    We know INTEGRATED HACKS is Well known for LEGIT HACKING SERVICES, but we always try to make people know that INTEGRATED HACKS isn't just open to big firms, any individual desiring cyber services can contact us via: "integratedhacks@protonmail.com" You Can Reach Out To Us for Your Desired HACKING Services Ranging from:
    * Penetration Testing
    * Jail Breaking
    * PHONE HACKING (Which gives you Unnoticeable Access to Everything that is Happening on the phone such as call logs, messages, chats and all social media Apps .
    * Retrieval Of Lost Files
    * Location Tracking.
    * Clearing Of Criminal Records.
    * Hacking Of Server, Database And Social Media accounts e.g Facebook, twitter, Instagram Snapchat etc

    ★ SOME SPECIAL SERVICES WE OFFER:
    * RECOVERY OF LOST FUNDS ON BINARY OPTIONS.
    * Bank Accounts Loading ( Only USA Banks)
    * Credit Cards Loading (Only USA CC’s)’

    ★Our Team houses a separate group of specialists who are productively focused and established authorities in different platforms. They hail from a proven track record Called “HackerOne” and have cracked even the toughest of barriers to intrude and capture or recapture all relevant data needed by our Clients. Some Of These Specialist Includes Yassine Aboukir, Oemer Han, Imran parray, Anees Khan, Jobert Abma and many others.

    ★INTEGRATED HACKS is available to our clients 24 hours a day and 7 days a week. We understand that your request might be urgent, so we have a separate team of allocated hackers who interact with our Clients round the clock. You are with the right people so just get started.

    ★CONTACT:
    * Email:
    Integratedhacks@protonmail.com
    Integratedhacks@gmail.com

    ★CONTACT US AND EXPERIENCE CYBER SERVICES LIKE NEVER BEFORE

    ReplyDelete
  6. this is great but I get back that Get-MessageClientType is not a recognized cmdlet - running exchange 2010 sp3 . Any ideas ?

    ReplyDelete
    Replies
    1. if you don't follow step 1 then that is correct, he creates that function for us in step 1

      "1 - Copy this PowerShell function into your Exchange Management Shell window:

      function Get-MessageClientType
      {
      $MessageTrackingLog = @($input) | ? {$_.SourceContext -match "ClientType"}
      $Output = @()
      foreach ($Message in $MessageTrackingLog)
      {
      $ClientType = $Message.SourceContext -split "," | ? {$_ -match "ClientType"}
      $ClientType = $ClientType -replace (" ClientType:","")
      $OutputLine = New-Object System.Object
      $OutputLine | Add-Member -Type NoteProperty -Name TimeStamp -Value $Message.TimeStamp
      $OutputLine | Add-Member -Type NoteProperty -Name Sender -Value $Message.Sender
      $OutputLine | Add-Member -Type NoteProperty -Name Recipients -Value $Message.Recipients
      $OutputLine | Add-Member -Type NoteProperty -Name MessageSubject -Value $Message.MessageSubject
      $OutputLine | Add-Member -Type NoteProperty -Name ClientType -Value $ClientType
      $Output += $OutputLine
      }
      $Output
      }"

      Delete
  7. Congratulations Mark.

    Nice post.

    FYI.

    https://blogs.technet.microsoft.com/messagingninjas/2016/07/06/figuring-out-which-client-was-used-by-the-sender-to-send-an-email/

    ReplyDelete