Link to home
Start Free TrialLog in
Avatar of Jerry Seinfield
Jerry SeinfieldFlag for United States of America

asked on

User would like to investigate a message that never sent

Hi Experts,

An user is complaining that she never sent an specific email, and would like to know root cause of this.

I did trace the message from Exchange 2007 EMC, Tools, and looks like the message was sent, however it is not showing in her sent or Blackberry device

Any ideas?

Avatar of endital1097
Flag of United States of America image

enable the recovery bin for Outlook and then go to tools, recover deleted items for the sent items folder
make sure it wasn't permanently deleted
when you run the get-messagetrackinglog cmdlet look at the sourcecontext value
there is a mailbox guid value in there

use that value with the get-mailbox cmdlet to determine the source mailbox
Avatar of Jerry Seinfield


The sourcecontext value does not have any values

Any ideas?
run the get-messagetracking log against the mailbox server
if there is no eventid = submit, then i would start thinking the message is spoofed
Avatar of Sudeep Sharma
I think the same, I believe the message is spoofed. To verify this I would ask for the headers of the email which was sent to the recipient. Could you contact the recipient and ask them to provide the internet headers of the email.

That would confirm if the message was sent from your servers or it was spoofed and sent from some other server

I ran message tracking again on hub server, and results below

something strange, that sender column has not been exported into a csv file, but i can see that row in message tracking tool
that is a powershell issue (not real issue, but reason for output problem)

like sudeep said, the easiest way to determine the source is to get the message and view the headers (i thought this left the company)
the get-messagetrackinglog must be run against the mailbox server to verify that there is a SUBMIT eventid, this would tell us that the message reached the user's outbox for delivery
without the SUBMIT it's source is not the mailbox
Just to clarify, this issue is for internal users, not external
then go to the person that received the message
right-click on the message and select message options

you can track the flow of the message from the headers
if you need assistance you can post the headers
I ran the get-messagetracking log against the mailbox server and found there is an eventid = submit, please see attached file

Any other ideas?
this message appears to have been sent using a bb device, look at the message id

i would get the message headers from someone that received the message to verify
Hi endital1097,

We finally got the message headers for both sender and receiver, same as attached file, and I found it in her deleted items.

Both users swear they did not compose the message, nor send it.

Any ideas?
here is an example of the headers we would like to see:

Received: from ( by ( with Microsoft SMTP Server id;
 Thu, 9 Sep 2010 13:45:08 -0400
Received: from (localhost [])      by (8.14.4/8.14.4) with ESMTP id o89HliWx033477      for
 <>; Thu, 9 Sep 2010 10:47:44 -0700 (PDT)      (envelope-from
I just connected to her computer, and I found it in her deleted items…

Both users swear they did not compose the message, nor send it.

Any ideas why this happened?

Any know issues, or bug in outlook/exchange2007 I should be aware of?

Avatar of endital1097
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial