Microsoft Exchange - Inbound Domains Details Report

Administrators of an organization may often wish to know the domains from which most email messages are received and the size of messages received by each domain. The Inbound Domain Details report helps administrators in this regard. With the help of this report, administrators can identify the individual domains from which the mails were received, the number of mails received by each individual domain and the total size of the mails. Using this report, administrators can rapidly figure out if their users are engaged in mail correspondence with legitimate domains only or if their mail activity is suspect - i.e., were many mails received by domains that seem phony? is the mail size unusually large? This way, the report points to probable mail server abuse/hacking, based on which administrators can fine-tune firewall policies.

To generate the Inbound Domain Details report, do the following:

  1. Follow the menu sequence: REPORTS BY FUNCTION -> Domain-specific Reports -> Microsoft Exchange Online -> Inbound Domain Details.
  2. Figure 1 will then appear.

    Figure 1 : Specifying the criteria for the Inbound Domain Details report

  3. From Figure 1, select a criterion for analysis from the Analyze by list box. Using this report, you can analyze the performance of one/more components, or those that are part of a service or a segment. The options provided by the Analyze by list box are discussed hereunder:

    • Component: Select this option to choose the component(s) from across all the components that are available in the IT environment. For instance, for a report on the domain of a Microsoft Exchange server in the environment, select Component from the Analyze by list, select Microsoft Exchange 2013/2016 from the Component Type list, and then select the host listed in the Components list. If the Components list consists of too many components, then viewing all the components and selecting the ones you need for report generation could require endless scrolling. To avoid this, you can click the s button next to the Components list. The COMPONENTS pop up window will then appear using which you can view almost all the components in a single interface and Select the ones for which the report is to be generated. You can narrow your search further by using the Search text box. Specify the whole/part of the component name to search for in this text box, and click the icon next to it.
    • Service: Select this option if the components for which a report is to be generated are involved in the delivery of a business service. Then, select a Service.
    • Segment: Choose this option if the components to be evaluated are part of a segment. Then, pick a Segment for analysis.
    • Zone: Pick this option for a report on the performance of virtual components that are included in a zone. Then, choose a Zone.
  4. Then, specify the Timeline for the graph. You can either provide a fixed time line such as 1 hour, 2 days, etc., or select the Any option from the list to provide a From and To date/time for report generation.

    Note:

    For every user registered with the eG Enterprise system, the administrator can indicate the maximum timeline for which that user can generate a report. Once the maximum timeline is set for a user, then, whenever that user logs into eG Reporter and attempts to generate a report, the Timeline list box in the report page will display options according to the maximum timeline setting of that user. For instance, if a user can generate a report for a maximum period of 3 days only, then 3 days will be the highest option displayed in the Timeline list - i.e., 3 days will be the last option in the fixed Timeline list. Similarly, if the user chooses the Any option from the Timeline list and proceeds to provide a start date and end date for report generation using the From and To specifications, eG Enterprise will first check if the user's Timeline specification conforms to his/her maximum timeline setting. If not, report generation will fail. For instance, for a user who is allowed to generate reports spanning over a maximum period of 3 days only, the difference between the From and To dates should never be over 3 days. If it is, then, upon clicking the Run Report button a message box will appear, prompting the user to change the From and To specification.

  5. In addition to the settings discussed above, this report comes with a set of default specifications. These settings are hidden by default. If you do not want to disturb these default settings, then you can proceed to generate the report by clicking the Run Report button soon after you pick one/more components for report generation. However, if you want to view and then alter these settings (if required), click on the icon. The default settings will then appear in the MORE OPTIONS drop down window (See Figure 2). The steps below discuss each of these settings and how they can be customized.

    Figure 2 : The default settings for generating the Inbound Domain Details reports

  6. To view the Top -10 components, select Top -10 from the Show list. By default, the Top -<maximum number of active components for the test> will be the option chosen here - i.e., if this test takes a maximum of 5 components, then the Top - 5 option will be selected here, by default.

    Note:

    The options to be listed in the Show list can be configured in the eg_report.ini file in the <EG_INSTALL_DIR>\manager\config directory. To achieve this, set the ShowTop parameter in the [INFOS] section of this list to a specific numeric value. For example, if you set ShowTop to 10, then the Show list will display the following options: Top-10, Top-2, Top-5, Last-10, Last-2, and Last-5.

  7. If the timeline specified for the report needs to exclude the data collected during the Weekends, then set Exclude weekends to Yes. If not, select No.

    Note:

    By default, the weekend constitutes Saturday and Sunday. To override this default setting, do the following:

    • Edit the eg_report.ini file in the <EG_INSTALL_DIR>\manager\config directory.
    • In the [ Mail_Exchange] section of the file, the EXCLUDE_WEEKEND parameter is set to Saturday,Sunday by default. You can modify this by setting the EXCLUDE_WEEKEND parameter to a comma-separated list of other days of the week - say Friday,Saturday.
    • Save the file after making the required changes.
  8. Specify the start time and end time for report generation against the Time period field (See Figure 2).
  9. In large environments, reports generated using months of data can take a long time to complete. Administrators now have the option of generating reports on-line or in the background. When a report is scheduled for background generation, administrators can proceed with their other monitoring, diagnosis, and reporting tasks, while the eG manager is processing the report. This saves the administrator valuable time. To schedule background processing of a report, you can either select the Background Save - PDF option from the Report Generation list. In this case, a Report Name text box will appear, where you would have to provide the name with which the report is to be saved in the background. To process reports in the foreground, select the Foreground Generation - HTML option from this list.

    Note:

    • The Report Generation list will appear only if the EnableBackgroundReport flag in the [BACKGROUND_PROCESS] section of the eg_report.ini file (in the [EG_INSTALL_DIR]\manager\config directory) is set to Yes.
    • The default selection in the Report Generation list will change according to the Timeline specified for the report. If the Timeline set is greater than or equal to the number of days specified against the MinDurationForReport parameter in the [BACKGROUND_PROCESS] section of the eg_report.ini file, then the default selection in the Report Generation list will be Background Save - PDF. On the other hand, if the Timeline set for the report is lesser than the value of the MinDurationForReport parameter, then the default selection in the Report Generation list will be Foreground. This is because, the MinDurationForReport setting governs when reports are to be processed in the background. By default, this parameter is set to 2 weeks - this indicates that by default, reports with a timeline of 2 weeks and above will be processed in the background.
  10. Finally, click the Run Report button to generate the report.

    Figure 3 : An Inbound Domain Details report

  11. The generated report as shown in Figure 3, contains four sections. Let us now discuss each section in detail:

    • The first section of the report generated in Figure 3 is an overview section which reveals the number of unique domains, the number of mails received by the domains and the cumulative size of all the mails received by the domains.
    • The Distribution of Inbound Domains section details provides a bird's-eye view of the mails received from various domains. Looking at this pie chart, administrators will be able to identity the domains from which most of the mails were received.
    • The Top 10 Inbound Domains section comprises of a bar graph that lists the top-10 domains from which the mails were received. By merely looking at this section, administrators will be able to identify the domain from which the maximum number of mails were received and the exact count of the mails received from each domain. 
    • The Details of Inbound Domains table will list the domains from which the mails were received from the monitored environment, and against each domain, the number of mails received, the total size of the mails received from the domain and the average size of each mail received from the domain will be listed. Using these details administrators may be able to verify whether mails are received from legitimate domains, constantly monitor the size of the mails and instantly identify mails that are abnormally large.