WinDeveloper IMF Tune

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Sniffing Emails with the Archive Sink

Kenneth Spiteri

Kenneth Spiteri Photo

Kenneth is an Exchange Administrator who loves to share anything he finds interesting with the rest of the community. He also helps with the administration of the site.

  • Published: Dec 06, 2005
  • Category: General
  • Votes: none - none
Cast your Vote
Poor Excellent

The Exchange Archive Sink saves a copy of all emails to disk. It is certainly a very primitive archiving solution. Nevertheless it comes handy when troubleshooting and analyzing email flow.

Microsoft provides a very simple server level archiving solution. This is a sink that saves to disk all emails flowing through a server. It unobtrusively sniffs emails rendering it especially useful as a low level troubleshooting tool.

The archive sink is available for both Exchange 2000 and Exchange 2003. Exchange 2000 includes this with SP2 and later. Thus installing the latest service pack ensures all the necessary files are in place.

In Exchange 2003 the sink is available as a separate download. Follow the link to the Exchange 2003 Tools page and select ArchveSink. Once downloaded extract all files to <Exchange dir.>\bin

Installing the Archive Sink

Installing the sink involves the same steps for both Exchange versions. To begin with, run the following command to register the ArchiveSink.dll module:

regsvr32 <Exchange dir.>\bin\ArchiveSink.dll

If the system has problems locating regsvr32.exe, you will find this under the Windows\System32 directory.

Next we have to install the sink. We do this with the help of archivesink_setup.vbs. The following command illustrates how this is done for the first SMTP Virtual server:

cscript <Exchange dir.>\bin\archivesink_setup.vbs install 1 c:\MailArch\

Here I am running the script from the command prompt using cscript. The first script parameter (install) specifies the installation operation. 1 identifies the first SMTP server instance, more on this in a moment. The final parameter identifies the disk location where emails are to be saved. Change this path as necessary.

This script requires identifying the SMTP Virtual server through a number. Virtual servers are assigned these numbers automatically on creation. By default Exchange creates one server instance assigning it the number 1. It is possible to create extra virtual servers. These are automatically assigned numbers in ascending order. Thus if multiple virtual servers are in place, the script must be run once for each virtual server whose emails are to be archived.

To see the virtual server numbering browse to the following directory:
<Exchange dir.>\Mailroot\

Here you will find sub-directories named as follows:
vsi <n>

vsi stands for virtual server instance. <n> identified its associated number, the one required on installing the archive sink.

Running the Archiver

Once the installation is completed, the sink will start archiving all emails going through it. If nothing happens, verify that the archive directory is present and restart the IIS Admin service.

Under the archive directory the sink automatically creates two sub-directories named 'MAPI-Gateway Messages' and 'SMTP Messages'. The former will contain emails originating from local Exchange mailboxes. The latter contains emails from external senders.

The emails in the SMTP Messages directory are saved using standard SMTP encodings. Hence these may be easily opened using Outlook Express. On the other hand 'MAPI-Gateway Messages' will contain TNEF encoded emails. Outlook Express is of little help here and a TNEF Viewer is required.

Identifying Archived Emails

The archive sink comes handy when investigating email corruption issues. In these cases it is useful to see the raw email as received at the server. With many emails being saved at the archive directories locating the correct file can be a bit tricky.

Let's consider the case where we are receiving corrupted emails from an external sender. Depending on the type of corruption we may be able to see the email subject. In this case it is worth searching the folder using a simple text search application. If the subject is un-encoded and if it is unique enough, this can quickly track the raw email.

Otherwise if the subject is encoded or missing, we can try using the email header information. From Outlook you can see the headers by opening the email and selecting View | Options.

Message Properties

The internet headers edit box shows the raw email headers. This is the same information saved at the archive directory. So all we need is to find some text unique enough to base our search on. If available, the Message-ID header is perfect for the job, since this is assigned exactly to tag emails with a unique ID. With this key we can now proceed with making the text search that will locate the necessary file.

Raw Email

Before opening the email, be warned that this might be infected by viruses, exploits or some other malware. This risk may also be true in case server side protection is in place. Thus it is wise to scan the file for viruses before opening it.

References

Tools for Exchange Server 2003

Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation