[Last Call] Learn how to a build a cloud-first strategyRegister Now


email / security tracing an e-mail

Posted on 2007-04-10
Medium Priority
Last Modified: 2013-11-16
Hello experts,

I think this question really needs some serious expertise. Here’s the configuration:
Setting: Public School up North.
Os: Win Server 2003
School distict Application : MS- Exchange
Clients: MS-outlook

A few employees are receiving targeted e-mails. These e-mails are not like the regular spam (even though they may fall into this category) since they address very specific information about the employees’ private life and other personal information. The “spammer” is knowledgeable enough to impersonate the user’s own email address. In clear the spammer uses the employee’s own email address ie: janedoe@example.net
to send nasty e-mails to other employees.
Assuming that this spammer is an actual employee of the district, is there any way that he or she can be traced back. The big problem is the fact that the spammer is most likely hiding behind the district’s firewall. What could be the most efficient way to track these e-mails back to the originator? Some applications like “ Visual IP Trace” were used but stopped at the firewall.

Any hints would be greatly appreciated.
Question by:Nyko333
  • 2
LVL 104

Accepted Solution

Sembee earned 1200 total points
ID: 18885917
If you can see the header information of the email message that will show where the message is coming from. However that will only get you to the mail server or firewall of the sending site.

If the email content is not nice then I think you should call in higher assistance. Law enforcement or if this is something within the same employer, managers. With appropriate logging on the server that is sending the message it is possible to track the user, but you need the cooperation of the admin of the other server.

I have found that in some cases getting to the firewall (or as I refer to it, proving which door it came out of) is enough to find the culprit. I am personally responsible for four people losing their jobs due to the evidence I found when they were targeting employees of the company or client I was working for - in all four cases it was females being targeted by males.


Assisted Solution

dr_shivan earned 300 total points
ID: 18886971
Nyko 333,

There's 2 ways to spoof an email address.
1) by changing the email sender in one's local email client
2) by manually doing a pop relay from an open relay server.

For instance 1, yes you can do what Sembee has suggested above, but for instance 2, its kinda hard to trace as its all hidden through so many servers. Even though you may think its originated from that particular source, but maybe it isn't.

Reporting to the higher authority is your best bet. What if you found out who did it? Can you bring matters into your own hands? In the end you will still bring in the authority, so better be safe than sorry and leave the work to them. At least you'll be safe until the time comes.

Author Comment

ID: 18889938
Good morning Sembee & dr.Shivan,

Thanks a lot for your feedback. The very first thing I did was to check the headers and I used Visual IP to trace it back to the firewall. However, I am at a dead end at this point and the Exchange Admin is at the same point, meaning lost at the firewall. I was wondering if there's a software package outhere that could take the info from the exchange log files and trace it back to the originator. There should logically be some kind of a digital stamp for every email that a client send out. I am also considering Shivan's suggestion of bringing in the authority but it will be the last move. I'll wait a couple of days for some more feedback and take it from there.
Thanks to both of you for your insights.
LVL 104

Expert Comment

ID: 18890568
If the messages are being sent via Exchange servers then your options are very limited. If the messages are being sent via SMTP servers or bounced off an Exchange server then logging on the SMTP servers involved set to the required levels may throw up the IP address that is being used.


Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses
Course of the Month17 days, 16 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question