Forensic Search for Email Recipient

Incident response
Hello, I am hoping someone can help me with a question. I have found through return receipt someone within my organization has intercepting an e-mail. I think someone may have spoofed the user ID that is indicated on the return receipt. Is there any way in Notes for an Administrator to determine the device ID that initiated the return receipt (or any other method to specifically identify the actual receiver)? Thanks in advance for any insight you can provide.

Answer Wiki

Thanks. We'll let you know when a new response is added.

This response considers that you are using Outlook/Exchange.

You can view the email headers for the server sending the email (SMTP) to tell who was the actual sender. Double-click the message and then click on View/Options. There is no requirement for the From and To information within the message to be accurate, but the headers tell all. It’ll show you where the message came from, what server version they were using, the IP Address, domain, etc. Obviously, this takes into consideration that the email server that the email was sent from was not spoofed, however, the IP Address must be a valid address. If the IP were spoofed, the real email server would reset the connection since it did not generate the traffic or the three-way TCP handshake will not occur…

If the address was sent internally, the server would use the MTA to send the email. You would need to look at the message ID and go back to the server to look for the person who sent the email, but it will only give you information if you have message tracking already on. The same applies for SMTP email coming from outside your Exchange organization, but at least you have some information contained in the header to go by with external emails.

I think that you can get the message ID by looking at the view/options method for viewing headers. I’m not connected to an Exchange server right now to verify it, however. The difference is that you won’t have any SMTP headers. If you are going to find the message ID, this is where you’d find it.

Hope that helps.

The email header may also help in tracking the IP details. As the case mentioned by you can be that of IP theft as well as that of Email Spoofing.


Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Sonyfreek
    Sorry! I missed the Lotus Notes reference... Can't help you there, but the theory should be the same. Check your logs since you suspect an insider. SF
    0 pointsBadges:
  • developmentw
    If you are having problem in viewing the header you may go through my creation i.e. MailXaminer. In this you just need to fetch your EDB/PST files in it. It will give you fastest email analysis by providing view of multiple hidden properties of email (header, IP, Message Id etc.). Also you can view the hex code of email for the deep analysis in its environment.
    50 pointsBadges:
  • TomLiotta
    In this you just need to fetch your EDB/PST files...   That might be helpful if you can explain where a Notes user will find any "EDB/PST files".   Tom
    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: