Become a Columnist Microsoft Exchange Site Microsoft Support SiteMSDN Exchange Site

   

Subscribe to OutlookExchange
What's New
Columnist
Anderson Patricio
Ann Mc Donough
Bob Spurzem
Brian Veal
Catherine Creary
Cherry Beado
Colin Janssen
Collins Timothy Mutesaria
Drew Nicholson
Fred Volking
Glen Scales
Goran Husman
Guy Thomas
Henrik Walther
Jason Sherry
Jayme Bowers
John Young
Joyce Tang
Justin Braun
Konstantin Zheludev
Kristina Waters
Kuang Zhang
Mahmoud Magdy
Martin Tuip
Michael Dong
Michele Deo
Mitch Tulloch
Nicolas Blank
Pavel Nagaev
Ragnar Harper
Ricardo Silva
Richard Wakeman
Russ Iuliano
Santhosh Hanumanthappa
Steve Bryant
Steve Craig
Todd Walker
Tracey J. Rosenblath
Development
More Resources
Software
Other Links
 
 

RSS Feed of IMF Message Tracking Log Data            Download Files

This script produces a RSS Feed of items that have been archived by the IMF, its designed to be scheduled to run every 15 minutes and will keep a constant updated RSS feed which can be subscribed to by RSS aggregators and this will deliver an up-to-date list of archived spam to any subscriber throughout the day. (This is especially useful during the first couple of weeks after implementing the IMF because it gives you a close to real time monitor of the IMF operation). The script uses WMI to query the last 2 days of Message Tracking Logs 1039 events and then uses the Microsoft XML parser via the MICROSOFT.XMLDOM com object to produce a XML output file.

How it works

The first part of the code starts to setup the RSS feed file by first creating an instance of the XLMDOM object to be used and then creates the first node definitions that a RSS file needs. To see some documentation on what a RSS feed files should look like have a look here

set objdom = CreateObject("MICROSOFT.XMLDOM")
Set objField = objDom.createElement("rss")
Set objattID = objDom.createAttribute("version")
objattID.Text = "2.0"
objField.setAttributeNode objattID
objDom.appendChild objField
Set objField1 = objDom.createElement("channel")
objfield.appendChild objField1
Set objField3 = objDom.createElement("title")
objfield3.text = "IMF SPAM Report Feed"      ' RSS FEED name you can set this to what every you want
objfield1.appendChild objField3
Set objField4 = objDom.createElement("link")
objfield1.appendChild objField4
Set objField5 = objDom.createElement("description")
objfield5.text = "IMF SPAM Report Feed"    ' RSS Description name you can set this to what every you want
objfield1.appendChild objField5
Set objField6 = objDom.createElement("language")
objfield6.text = "en-us"
objfield1.appendChild objField6
Set objField7 = objDom.createElement("lastBuildDate")
objfield7.text = formatdatetime(now(),1) & " " & formatdatetime(now(),4) & ":00 GMT"
objfield1.appendChild objField7
 

The next part of the code does a WMI WQL query of the message tracking logs with a parameter to limit the query to only 1039 events and only those events that have a date greater then 2 days ago.
strComputer = "."
set shell = createobject("wscript.shell")
strValueName = "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\ActiveTimeBias"
minTimeOffset = shell.regread(strValueName)
toffset = datediff("h",DateAdd("n", minTimeOffset, now()),now())
dtListFrom = DateAdd("n", minTimeOffset, now())
dtListFrom = DateAdd("d",-2,dtListFrom)
strStartDateTime = year(dtListFrom)
if (Month(dtListFrom) < 10) then strStartDateTime = strStartDateTime & "0"
strStartDateTime = strStartDateTime & Month(dtListFrom)
if (Day(dtListFrom) < 10) then strStartDateTime = strStartDateTime & "0"
strStartDateTime = strStartDateTime & Day(dtListFrom)
if (Hour(dtListFrom) < 10) then strStartDateTime = strStartDateTime & "0"
strStartDateTime = strStartDateTime & Hour(dtListFrom)
if (Minute(dtListFrom) < 10) then strStartDateTime = strStartDateTime & "0"
strStartDateTime = strStartDateTime & Minute(dtListFrom)
if (Second(dtListFrom) < 10) then strStartDateTime = strStartDateTime & "0"
strStartDateTime = strStartDateTime & Second(dtListFrom) & ".000000+000"
Set objWMIService = Getobject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\MicrosoftExchangeV2")
qstr = "Select * FROM Exchange_MessageTrackingEntry where entrytype = '1039' and OriginationTime > '" & strStartDateTime & "'"
Set colLoggedEvents = objWMIService.ExecQuery(qstr,,48)

The next part sets up some parameters and creates a loop to go though all the entries in the tracking log that matched the WQL query scope and then it writes the tracking log entries in a XML format.

For Each objEvent in colLoggedEvents
for i = 1 to objEvent.RecipientCount
	OTime = objEvent.OriginationTime
	odate = formatdatetime(cdate(DateSerial(Left(OTime, 4), Mid(OTime, 5, 2), Mid(OTime, 7, 2))),1) & " " _
	 & formatdatetime(timeserial(Mid(OTime, 9, 2),Mid(OTime, 11, 2),Mid(OTime,13, 2)),4) & ":00 GMT"
	Set objField2 = objDom.createElement("item")
	objfield1.appendChild objField2
	Set objField8 = objDom.createElement("title")
	objfield8.text = objEvent.clientip & " " & objEvent.SenderAddress & " " & objEvent.Subject & " " & objEvent.size
	objfield2.appendChild objField8
	Set objField9 = objDom.createElement("link")
	objfield9.text = ""
	objfield2.appendChild objField9
	Set objField10 = objDom.createElement("description")
	objfield10.text = objEvent.clientip & " " & objEvent.SenderAddress & " " & objEvent.RecipientAddress((i-1)) _
	& " " & objEvent.Subject & " " & objEvent.size
	objfield2.appendChild objField10
        Set objField11 = objDom.createElement("author")
	objfield11.text = objEvent.RecipientAddress((i-1))
	objfield2.appendChild objField11
	Set objField12 = objDom.createElement("pubDate")
	objfield12.text = odate
	objfield2.appendChild objField12
 	set objfield2 = nothing
	set objfield8 = nothing
	set objfield9 = nothing
	set objfield10 = nothing
	set objfield11 = nothing
	next
next

The last section of code writes the XML string as a file. This file needs to be located on a web server so it can be subscribed to via a RSS news aggregator

Set objPI = objDom.createProcessingInstruction("xml", "version='1.0'")
objDom.insertBefore objPI, objDom.childNodes(0)

objdom.save("d:\inetpub\wwwroot\intranet\imffeed.xml")

Installing and Running the Script

To run the script you can create a schedule task that runs this script every 15 minutes (or whatever update period you would like)

The XML file the script creates will contain the last 2 days worth of IMF Spam data you can adjust this depending on your needs eg if people shutdown their machines over the weekend you may what to expend the period to 3 or 4 days. For instance to change the scope to the last 7 days  change the following line (see the vbscript doco for more information on using Dateadd)

dtListFrom = DateAdd("d",-2,dtListFrom)

To

dtListFrom = DateAdd("d",-7,dtListFrom)
 

Download Files

Back to Main Article

Disclaimer: Your use of the information contained in these pages is at your sole risk. All information on these pages is provided "as is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Stephen Bryant or Pro Exchange. OutlookExchange.Com, Stephen Bryant and Pro Exchange shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Copyright Stephen Bryant 2008