Solved

Need to find out from what ip an email is being sent from

Posted on 2013-06-19
10
296 Views
Last Modified: 2013-07-09
We run exchange 2007 and I have a user ID that I need to find out from what system or device or ip this user is sending email from. He could be using his phone, owa or even some other client. I cannot asked the user either, all back door stuff.

Any way to do this?
0
Comment
Question by:rdefino
  • 6
  • 2
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39261015
You can enable journaling to record all messages flowing in and out of your organization. Exchange 2007 provides two Journaling options:

Standard journaling  - Standard journaling enables the Journaling agent in Exchange 2007 to journal all messages sent to and from recipients and senders that are located on a specific mailbox database on a computer running the Mailbox server role. Standard journaling is also called per-mailbox database journaling.

Premium journaling  - Premium journaling enables the Journaling agent in Exchange 2007 to use rules that you can configure to match the specific needs of your organization. You can create journal rules for a single mailbox recipient or for entire groups within your organization. Premium journaling is also called per-recipient journaling.

You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling
0
 

Author Comment

by:rdefino
ID: 39261084
We do have journaling enabled.

So how with that do I find this info out?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39261117
Ok. You will need to setup a journaling mailbox (where the journal report will get delivered), turn on the journaling agent and lastly setup a journaling rule.

The journal report will contain the original email (sent by user being monitored) as an attachment.


MS Technet does an excelllent job of walking one through all the setup and things to consider here:  http://technet.microsoft.com/en-us/library/bb124382%28v=exchg.80%29.aspx
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 39262204
I don't think journaling is going to provide the information that you need.
You need to get the IP address logged for Outlook:
http://support.microsoft.com/kb/2292750
For anything web based (ActiveSync, OWA etc) then IIS logs are your friend here, but you will need to adjust the logging settings to include the username.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262601
It is my understanding that Exchange 2007 supports envelope journaling. With envelope journaling, the original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains the sender e-mail address, subject, message-ID, and recipient e-mail addresses contained within the original message.
The attached original message should contain the message and message header containing IP addresses and SMTP transport information.

http://technet.microsoft.com/en-us/library/aa998649%28v=exchg.80%29.aspx
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262644
Exchange team blog : Interception and Redirection of Messages Using Transport Rules or Journaling
http://blogs.technet.com/b/exchange/archive/2010/01/28/3409250.aspx

Attaching a copy of the original message to the journal report ensures that the original headers and properties of the message are maintained, as opposed to a message copied by transport rules where some headers will be stripped and properties transformed on delivery.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39262685
That is correct.
However if this is an INTERNAL user then there will be no IP address in the header to show where the email address originated from.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262737
Good point. However, correct me if I am wrong (rdefino), but I am assuming this user is not internal since you are trying to figure out how and where this person is connecting from.
0
 

Author Comment

by:rdefino
ID: 39262834
user is internal. We just need to find out what device he is sending email from.
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 250 total points
ID: 39263185
Sembee2 is right. IIS logging with username will be your friend to find an internal user login.

Another option would be to run Wireshark and filter traffic to from your Exchange server. that would show you everything.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now