We help IT Professionals succeed at work.

MS exchange 2007 journaling misuse

lakeofafrica
lakeofafrica asked
on
Hi ,

I have just taken over a new client and completed what I felt was a reasonable change over by ensuring all domain admin passwords were changed, remote access changed etc and went through active directory with the new client and ensured that no users were there that didn't need to be.

Anyway they have brought it to my attention that they believe sensitve information is being leaked via email and think there is a hole somewhere, so I dug deeper and did some message tracking and found that exchange 2007 had the journalling feature enabled and set to globally record all messages. Now this is a small organisation and my understanding for jounalling is for Legal and Archival purposes, neither of which appears neccessary for this group.

I wondered if there was a way to check if the journaling email was being remotely accessed via webmail or any other way to ascertain if this email is being misused. beyond confirming that the feature is enabled I can't really prove any maliciious activity. I haven't changed the password yet in the hope of discovering a way to track it.

thanks
Comment
Watch Question

Commented:
Have you accessed the journal account yet? If not you run Get-MailboxStatistics | fl in the Exchange  console to see who last accessed it.

If you have already access the journal mailbox, you need to enable auditing and pray that the person will access the account again.
Reference: http://blogs.technet.com/b/exchange/archive/2009/09/03/3408210.aspx
Thanks a bunch cybera, great start -Gave that a go, I did find a user account that shouldn't of been there and had been accessed recently but wasn't the culprit and also enabled logging in the hope of seeing access to the journal email.

But ultimately was able to find the answer through IIS logs for Outlook web access the journal email account was accessed from multiple external ip's

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/managing-exchange-server-2007-log-files-part2.html

Once I had found the logs got the IP's and used the following sites to obtain more information.

http://whatismyipaddress.com
http://www.geobytes.com/IpLocator.htm?GetLocation

Thanks for your help cybera

Author

Commented:
Thanks to cybera was able to looking immediately at the right location

Author

Commented:
Thank Cybera

Explore More ContentExplore courses, solutions, and other research materials related to this topic.