Tracking the computer or source of an email

0 pts.
Tags:
Application security
Biometrics
Database
Digital certificates
Encryption
Exchange security
Firewalls
Forensics
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
provisioning
Secure Coding
Security tokens
Single sign-on
VPN
Wireless
system: Ex 2003 back-end cluster, Ex 2003 Network Load Balanced Front end. Hi there, A user's account has become comprimised. They have since changed their password, but there are a few mails sent from their account that they did not send. Is it possible to find out the source ie PC hostname or IP address from where these mails were sent? Outlook Web access logs for example has source address when people log on. But there is no match for the particular datetime we are looking for. thx Mac
ASKED: July 21, 2006  3:55 AM
UPDATED: August 11, 2011  9:35 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes, you should be able to find the originating PC’s IP address by right-clicking the email in Outlook, click on Options and under Internet headers section at the bottom, scroll down and find that information.
You can also find that information in the EXCH SMTP logs by going to that date and zeroing in on the sender & receiver email domains or email addresses.

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Maclanachu
    Thx, but there are no headers from the sent box, and on the receiving side it only gives the ip address of our mail server. It's the originating computers IP address is what I need to find. SMTP logs similarly only give the ip address of the mail server as source. Argh! ExMon can do live snapshots that give the source IP. Just need to fnd this in the logs somehow. Mac
    0 pointsBadges:
    report
  • Aalborz43
    You can also, in ESM, right-click on Logons folder under Mailbox Store. Select View/Add-Remove Columns and add Client IP address. Right-click again and do Refresh. If nobody has logged on to that mailbox since then, you should be able to see the IP address listed there.
    0 pointsBadges:
    report
  • Maclanachu
    yeah thx came accross that too but alas this is from a few weeks back now. Am beginning to think this level of detail isn't permanently logged. Bugger! MAc
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following