Track email

Posted on 2007-10-08
Last Modified: 2010-03-17
I have an email that a user received from himself. It says his name in the from and to fields. Is there any way to track where this email came from and who sent it disguised as the user? We use exchange 2003
Question by:rajaroraus
    LVL 9

    Expert Comment

    You can look at the email headers.  It will give you hints as to the source of the email.  

    Right click the email and select options in the Inbox view.

    The Internet Headers will give you some idea on where it came from.

    Author Comment

    I have already tried that and this particular email does not show any headers. I also tracked the email in exchange system manager and I only shows as being sent from the same person to himself.
    LVL 9

    Accepted Solution

    That means that it was sent from your own server.  

    So, there are a couple of things here.

    Do you have an open relay?  Not likely, but it's possible.

    The email was sent from another user on your network.

    This could also be some malware on the network that is using addressbook entries.  

    LVL 58

    Assisted Solution

    If there are no message headers and ESM Message Tracking shows that the user sent it to himself, then either:

    a) The user did send it to himself;
    b) Someone has compromised the security of the user's account with their username and password and sent the message to the user using his credentials whilst logged in to the Exchange server. As it is local, it wouldn't show any headers. This could be through OWA, SMTP account etc.

    I would assume it's the latter, in which case you should immediately change the user's password. You can also examine the IIS logs to look at OWA activity for this particular user; do a search for W3SVC1 and the log files for IIS's default website are in there, sorted by date.

    LVL 104

    Assisted Solution

    It could also be someone with Send As permissions.
    You should check who has Send As and whether anyone can send as anyone else.


    If your question has been answered, pleased remember to accept the answer and close the question.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now