Where can I see all emails send by my Windows 2012 Server?

windows-server-2012-r2

Solution 1:

You don't need a mail server installed to send email. SMTP is a simple protocol that connects to TCP port 25 of a remote server and delivers the message. Any process on a compromised server could do that.

You could start by using netstat -b -n -o to list the current connections and the processes involved in creating them. Or PowerShell Get-NetTCPConnection which can filter the listing based on the port with -RemotePort 25. E.g.

Get-NetTCPConnection -RemotePort 25 | Select-Object -Property LocalPort, RemoteAddress,
    @{ Name = 'ProcessName'; Expression = { (Get-Process -Id $_.OwningProcess).Name } },
    @{ Name = 'PID'; Expression = 'OwningProcess' }

This analysis might help you to find out how you got infected. However, eventually this will come back to question: How do I deal with a compromised server?

Having startup messages on virtual tty (monitor) AND serial console

nginx master process running as root but complaining that it is not

Redirect/tunnel (Tight)VNC traffic over (Open)VPN connection? (Windows)

How to configure subnets/VLANs to restrict access to WAN/other VLANs?

A new logical volume appearing after reducing the size of another

How can I check the outgoing HELO name of my sendmail server?

Using certbot DNS authorization with multiple API accounts?

How to view all the steps involved in ldapsearch operation?

Zabbix doesn't run custom alert script

DNSSEC - Google Cloud and Cloudflare - Which DS Record do I give to the Registrar?

Setup in nginx will lead to security warning in Google Chrome

How to give permissions to local computers using computers' MAC addresses in Windows Server 2016 for file sharing