We help IT Professionals succeed at work.

MS exchange 2007 journaling misuse

lakeofafrica asked
Hi ,

I have just taken over a new client and completed what I felt was a reasonable change over by ensuring all domain admin passwords were changed, remote access changed etc and went through active directory with the new client and ensured that no users were there that didn't need to be.

Anyway they have brought it to my attention that they believe sensitve information is being leaked via email and think there is a hole somewhere, so I dug deeper and did some message tracking and found that exchange 2007 had the journalling feature enabled and set to globally record all messages. Now this is a small organisation and my understanding for jounalling is for Legal and Archival purposes, neither of which appears neccessary for this group.

I wondered if there was a way to check if the journaling email was being remotely accessed via webmail or any other way to ascertain if this email is being misused. beyond confirming that the feature is enabled I can't really prove any maliciious activity. I haven't changed the password yet in the hope of discovering a way to track it.

Watch Question

Have you accessed the journal account yet? If not you run Get-MailboxStatistics | fl in the Exchange  console to see who last accessed it.

If you have already access the journal mailbox, you need to enable auditing and pray that the person will access the account again.
Reference: http://blogs.technet.com/b/exchange/archive/2009/09/03/3408210.aspx
Thanks a bunch cybera, great start -Gave that a go, I did find a user account that shouldn't of been there and had been accessed recently but wasn't the culprit and also enabled logging in the hope of seeing access to the journal email.

But ultimately was able to find the answer through IIS logs for Outlook web access the journal email account was accessed from multiple external ip's


Once I had found the logs got the IP's and used the following sites to obtain more information.


Thanks for your help cybera


Thanks to cybera was able to looking immediately at the right location


Thank Cybera

Explore More ContentExplore courses, solutions, and other research materials related to this topic.