We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Trace source PC of an e-mail

TS_MikeH asked
Medium Priority
Last Modified: 2012-06-27
An (now ex) employee is denying sending company information to their home e-mail address before leaving. Unfortunately for him, all e-mails in and out are copied to the Administrator account (Exchange 2003 on SBS2003) so we know it was sent despite him clearing out his 'sent items'. However, the claim now is that 'someone else must have sent it from a different PC'.

We can tie him down to being at a certain PC at a certain time when the e-mails were sent. Is there any way of the system giving us the IP address or computer name of PC that these e-mails were sent from?
Watch Question


Better add that all PCs just use Outlook 2003 to connect to the Exchange server, so nothing complicated etc
Stephen CroftTechnical Architect

Have you checked the headers for any information? If not, you could maybe look through the message tracking logs (if enabled).

If not, just politely remind him that it is his responsibility to keep his account secure, and anything done from his account is his responsibility.



Thanks for the quick reply. However, I've checked the message header and there's nothing in there (that I can see) and the MTC confirms that it was sent, but doesn't tell me where it's come from.

Stephen CroftTechnical Architect

Can you not see where it was submitted from?

If not, tough luck sorry :(

I agree with djxtreme.

Does the user admit to giving out his account login information?  You can only send email from that account if the account is logged in!

Now as for the IP address...disregard this if i am interpertting this incorrectly.

Are you having trouble getting the IP address of the computer, or is the problem that you are trying to find bonified proof that the messages were tied to that ip address?

Other than comparing security Events in Event viewer of the local computer and comparing it to the time the messages were sent, I wouldn't know how to tie them together.


The EX-user is denying all knowledge of these e-mails being sent out. We can place him at a particular PC (his 'own' one) between 3pm and 3:15pm on a particular date, and we can also show that e-mails were sent out between those times. It's blindingly obvious to us all that he sent them, but how can we PROVE that they came from the PC (static IP and machine name of which are known) that he was sitting at.

Playing devils advocate, he cpould say that the IT administrator changed the settings on his Exchange account and then sent these e-mails from another PC using his e-mail account. Theoretically possible, so I've got to prove they came from his PC.

Yeah I understand your prediciment. It is also worth noting that there would be logs showing that kind of action was taken...if it were the case.

Does your organization plan on seeking legal/law enforcement intervention on this?  

If I were in your shoes this is how I would begin:

First. Take physical control of the computer you suspect was used to do this.  Keep it off the network and in a secure location.
Next. Disable the user's account if not already done. Do not allow the user to do anything else...like possibly covering their tracks.

Utilize the Exmerge Utility for exchange.    This utility can be used to track all iterations of sent/received messages. Handy information for investigations.

Download Sysinternals, and look up forensic policies. Sysinternals has some forensic tools that may be able to help tracking all this information.

make a copy of that hard drive's image. Use sysinternals products on that copy to see if you can pull up any data that proves he commited an offense.

I am trying to find a good link to using sysinternals for forensics.

Didn't realize you said he's already gone.  It would be nice if his network account is still on the network tho.

Here's some utils on sysinternals. Click on the utilities index.

Stephen CroftTechnical Architect

You dont have SMTP logging enabled do you?
Expert of the Quarter 2009
Expert of the Year 2009
If the email messages were sent by Outlook using MAPI then there is nothing stored by Exchange will show what IP address the message was sent from.

SMTP logging - will show nothing.
There are no logs of the IP addresses connecting to the Exchange server at any time.

A decent lawyer would be able to get out of it anyway. The only thing that would stand up in court is a video or witnesses.

If they decide to use the "An administrator changed the settings" ploy, then you will need to prove that with logging. If you have accounts with access to all mailboxes then that defence has been won, because you cannot prove it didn't happen.

I hate to say it, but all you can prove is the emails were sent by his account, not physically by that individual or that machine.

I am not a lawyer though and I don't play one on EE.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


L3370 - I'm familiar with Sysinternals, but am not aware of any of their utilities that would help me get the info I require. Have I overlooked one? Also, you suggest using Exmerge - will this give me the info I require?

My thoughts are the same as Mestha's (ie "all you can prove is the emails were sent by his account, not physically by that individual or that machine."). Can anyone offer any ideas to the contrary?




Whilst I was hoping for a solution, the original question was 'is there a way' and it seems that the answer is 'no, there isn't'

Thanks for the assistance / ideas though
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.