Solved

email / security tracing an e-mail

Posted on 2007-04-10
4
277 Views
Last Modified: 2013-11-16
Hello experts,

I think this question really needs some serious expertise. Here’s the configuration:
Setting: Public School up North.
Os: Win Server 2003
School distict Application : MS- Exchange
Clients: MS-outlook

A few employees are receiving targeted e-mails. These e-mails are not like the regular spam (even though they may fall into this category) since they address very specific information about the employees’ private life and other personal information. The “spammer” is knowledgeable enough to impersonate the user’s own email address. In clear the spammer uses the employee’s own email address ie: janedoe@example.net
to send nasty e-mails to other employees.
Assuming that this spammer is an actual employee of the district, is there any way that he or she can be traced back. The big problem is the fact that the spammer is most likely hiding behind the district’s firewall. What could be the most efficient way to track these e-mails back to the originator? Some applications like “ Visual IP Trace” were used but stopped at the firewall.

Any hints would be greatly appreciated.
 Thanks.
0
Comment
Question by:Nyko333
  • 2
4 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 400 total points
ID: 18885917
If you can see the header information of the email message that will show where the message is coming from. However that will only get you to the mail server or firewall of the sending site.

If the email content is not nice then I think you should call in higher assistance. Law enforcement or if this is something within the same employer, managers. With appropriate logging on the server that is sending the message it is possible to track the user, but you need the cooperation of the admin of the other server.

I have found that in some cases getting to the firewall (or as I refer to it, proving which door it came out of) is enough to find the culprit. I am personally responsible for four people losing their jobs due to the evidence I found when they were targeting employees of the company or client I was working for - in all four cases it was females being targeted by males.

Simon.
0
 
LVL 5

Assisted Solution

by:dr_shivan
dr_shivan earned 100 total points
ID: 18886971
Nyko 333,

There's 2 ways to spoof an email address.
1) by changing the email sender in one's local email client
2) by manually doing a pop relay from an open relay server.

For instance 1, yes you can do what Sembee has suggested above, but for instance 2, its kinda hard to trace as its all hidden through so many servers. Even though you may think its originated from that particular source, but maybe it isn't.

Reporting to the higher authority is your best bet. What if you found out who did it? Can you bring matters into your own hands? In the end you will still bring in the authority, so better be safe than sorry and leave the work to them. At least you'll be safe until the time comes.
0
 

Author Comment

by:Nyko333
ID: 18889938
Good morning Sembee & dr.Shivan,

Thanks a lot for your feedback. The very first thing I did was to check the headers and I used Visual IP to trace it back to the firewall. However, I am at a dead end at this point and the Exchange Admin is at the same point, meaning lost at the firewall. I was wondering if there's a software package outhere that could take the info from the exchange log files and trace it back to the originator. There should logically be some kind of a digital stamp for every email that a client send out. I am also considering Shivan's suggestion of bringing in the authority but it will be the last move. I'll wait a couple of days for some more feedback and take it from there.
Thanks to both of you for your insights.
Nyko.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18890568
If the messages are being sent via Exchange servers then your options are very limited. If the messages are being sent via SMTP servers or bounced off an Exchange server then logging on the SMTP servers involved set to the required levels may throw up the IP address that is being used.

Simon.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now