One of the more useful improvements in Exchange Server 2007 is the abundance of logging for different features and components (read previous post “Exchange Server 2007: How many logs hath thee?“). In particular, the antispam agent logs fill an important gap in monitoring, reporting and troubleshooting message flow as it relates to antispam agents (read previous post “Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs“). As a messaging/Exchange administrator, you want to be able to pin point what the antispam agents have been up to, and determine if particular messsages, or sending hosts, domains or email addresses have been blocked by any of the antispam agents. The antispam agent logs and the get-agentlog command allow you to do this quickly and efficiently.
In addition to the the get-agentlog command, Exchange Server 2007 also ships with a number of canned scripts that help you keep tabs on what the agents are doing. These scripts are found in the \Exchange Server\Scripts directory, where \Exchange Server is the path of the Exchange Server 2007 installation. Note, no documentation or support is available for these scripts – they are meant to be examples you can use to write your own scripts. Let’s take a peek in the directory and see what we find.
Commandline parameters used by antispam scripts
Most of the following scripts take the same (optional) parameters.
- Get-AntispamFilteringReport.ps1: Takes one of the following values as a mandatory parameter and displays statistics for each agent:
- Get-AntispamSCLHistogram.ps1: Provides a breakdown of number of messages stamped with each SCL value.
- Get-AntispamTopBlockedSenderDomains.ps1: Lists top ten sender domains from which mail was blocked.
- Get-AntispamTopBlockedSenderIPs.ps1: Lists the top ten IP addresses blocked by antispam agents, and number of messages blocked from each.
- Get-AntispamTopBlockedSenders.ps1: Lists the top ten blocked senders (SMTP email addresses) and number of messages blocked from each. The script can report on P1 (i.e. address in message envelope in the MAIL header) or P2 addresses (from headers in message body like FROM). Specify the option as a commandline argument (optional parameters -top n, -StartDate, and EndDate used in this example):
.\Get-AntispamTopBlockedSenders.ps1 P1 -top 20 -StartDate “12/1/2007″ -EndDate “12/10/2007″
Replace the P1 in the above command with P2 to report on P2 senders.
- Get-AntispamTopRBLProviders.ps1: Lists the top ten RBLs (aka “IP Block List Providers”) and messages blocked by each (read previous post: “Exchange Server 2007: How are RBLs performing?“).
- Get-AntispamTopRecipients.ps1: Lists the top ten recipient addresses that receive spam. The addresses may or may not exist in your Organization – the reporting is based on actions taken by antispam agents on incoming messages. Recipient Filtering with Recipient Validation (dropping messages for recipients that do not exist in AD/GAL) is a great way to drop a large number of messages.
The following scripts are not used for reporting:
- Reset-AntispamUpdates.ps1: Uninstalls any antispam updates and reinstalls the original “out-of-box” antispam data.
- Install-AntispamAgents.ps1: By default, antispam agents are not installed on the Hub Transport server role (read previous post: “HOW TO: Install anti-spam agents on Hub Transport server“). This script installs them if you need to.
- Uninstall-AntispamAgents.ps1: Uninstalls antispam agents.