email / security tracing an e-mail

Hello experts,

I think this question really needs some serious expertise. Here’s the configuration:
Setting: Public School up North.
Os: Win Server 2003
School distict Application : MS- Exchange
Clients: MS-outlook

A few employees are receiving targeted e-mails. These e-mails are not like the regular spam (even though they may fall into this category) since they address very specific information about the employees’ private life and other personal information. The “spammer” is knowledgeable enough to impersonate the user’s own email address. In clear the spammer uses the employee’s own email address ie:
to send nasty e-mails to other employees.
Assuming that this spammer is an actual employee of the district, is there any way that he or she can be traced back. The big problem is the fact that the spammer is most likely hiding behind the district’s firewall. What could be the most efficient way to track these e-mails back to the originator? Some applications like “ Visual IP Trace” were used but stopped at the firewall.

Any hints would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you can see the header information of the email message that will show where the message is coming from. However that will only get you to the mail server or firewall of the sending site.

If the email content is not nice then I think you should call in higher assistance. Law enforcement or if this is something within the same employer, managers. With appropriate logging on the server that is sending the message it is possible to track the user, but you need the cooperation of the admin of the other server.

I have found that in some cases getting to the firewall (or as I refer to it, proving which door it came out of) is enough to find the culprit. I am personally responsible for four people losing their jobs due to the evidence I found when they were targeting employees of the company or client I was working for - in all four cases it was females being targeted by males.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nyko 333,

There's 2 ways to spoof an email address.
1) by changing the email sender in one's local email client
2) by manually doing a pop relay from an open relay server.

For instance 1, yes you can do what Sembee has suggested above, but for instance 2, its kinda hard to trace as its all hidden through so many servers. Even though you may think its originated from that particular source, but maybe it isn't.

Reporting to the higher authority is your best bet. What if you found out who did it? Can you bring matters into your own hands? In the end you will still bring in the authority, so better be safe than sorry and leave the work to them. At least you'll be safe until the time comes.
Nyko333Author Commented:
Good morning Sembee & dr.Shivan,

Thanks a lot for your feedback. The very first thing I did was to check the headers and I used Visual IP to trace it back to the firewall. However, I am at a dead end at this point and the Exchange Admin is at the same point, meaning lost at the firewall. I was wondering if there's a software package outhere that could take the info from the exchange log files and trace it back to the originator. There should logically be some kind of a digital stamp for every email that a client send out. I am also considering Shivan's suggestion of bringing in the authority but it will be the last move. I'll wait a couple of days for some more feedback and take it from there.
Thanks to both of you for your insights.
If the messages are being sent via Exchange servers then your options are very limited. If the messages are being sent via SMTP servers or bounced off an Exchange server then logging on the SMTP servers involved set to the required levels may throw up the IP address that is being used.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.