Skip Navigation Links
xFDN Home
Contributions

Identify Incorrect Email Addresses from Exchange Server Logs

Author: Pradeep Tapadiya, Software Labs Inc.

When you send an email from your email client, the email first goes into an outgoing queue of your corporate mailserver such as Microsoft Exchange Server. The mailserver then sends the email to the specified recipients on your behalf. When Exchange Server attempts to send the email to a recipient, say abc@def.com, there are multiple possibile outcomes. Some examples are:
  • The username (xyz) and the hostname (def.com) are valid.In this case the email gets delivered to the recipient
  • The hostname is valid but there is some other problem with the recipient's mailbox. Obviously, Exchange Server cannot anticipate this. In sends the email. While the email travels through various mail relays and ultimately the destination mailserver, some authority will detect the problem and an email is sent back to the original sender about undelivered email
  • The hostname itself is invalid. In this case, Exchange Server does not send the email but logs the error into Windows Application Event Log as a non-delivery report (NDR)
In this article, I will show you how you can process the NDR records from Windows Application Event Log to identify undelivered emails. Note that you need to have administrative privileges on the Windows server that is running Exchange Server.

Step 1: Create a connection to Windows Event Log

Using Windows Mangement and Instrumentation (WMI) connector, specify the machine where Exchange Server is running. Also supply proper security credentials. Specify WMI namespace as root\cimv2. In WMI, most of the action is always in this namespace.

Step 2: Extract non-delivered type records from the event log

Create a Standard Query object. The table we are interested in is Win32_NTLogEvent. The column that we are interested in is InsertionStrings. We also need to filter data where the column SourceName is MSExchangeTransport and the column CategoryString is NDR.

Step 3: Isolate email addresses

Exchange Server logs data with additional information. Here is an example of how the input appears: 5.4.0, rfc822;yzhou@us.pwcglobal.com, <CRAYSLFqE4IUHOr0Gtg000011e4@mail.software-labs.net>

The actual undelivered email address lies between the semicolon and the comma. Although there are multiple ways to isolate this data, we will use regular expression for our purpose. Create a new Transformation Query object and define your query using RegexParse as shown here:

The syntax for regular expressions can be found on many websites. The key point to note that the part of the input string between the semicolon and comma is being named as InvalidEmail. When you run this query, it returns a table that contains one column called InvalidEmail.

Step 4: Extract email addresses

The last step is to simply extract InvalidEmail from the table generated in the previous step. Create a new Transformation Query object and select the column:

You now have extracted all the invalid email addresses from Exchange Server Event log.

The complete flow is show here:

You can download the xFusion pack from here.
©2007 Software Labs, Inc.