Tracking the computer or source of an email

Application security
Digital certificates
Exchange security
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
Secure Coding
Security tokens
Single sign-on
system: Ex 2003 back-end cluster, Ex 2003 Network Load Balanced Front end. Hi there, A user's account has become comprimised. They have since changed their password, but there are a few mails sent from their account that they did not send. Is it possible to find out the source ie PC hostname or IP address from where these mails were sent? Outlook Web access logs for example has source address when people log on. But there is no match for the particular datetime we are looking for. thx Mac

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes, you should be able to find the originating PC’s IP address by right-clicking the email in Outlook, click on Options and under Internet headers section at the bottom, scroll down and find that information.
You can also find that information in the EXCH SMTP logs by going to that date and zeroing in on the sender & receiver email domains or email addresses.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Maclanachu
    Thx, but there are no headers from the sent box, and on the receiving side it only gives the ip address of our mail server. It's the originating computers IP address is what I need to find. SMTP logs similarly only give the ip address of the mail server as source. Argh! ExMon can do live snapshots that give the source IP. Just need to fnd this in the logs somehow. Mac
    0 pointsBadges:
  • Aalborz43
    You can also, in ESM, right-click on Logons folder under Mailbox Store. Select View/Add-Remove Columns and add Client IP address. Right-click again and do Refresh. If nobody has logged on to that mailbox since then, you should be able to see the IP address listed there.
    0 pointsBadges:
  • Maclanachu
    yeah thx came accross that too but alas this is from a few weeks back now. Am beginning to think this level of detail isn't permanently logged. Bugger! MAc
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: