[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Need to find out from what ip an email is being sent from

Posted on 2013-06-19
10
Medium Priority
?
309 Views
Last Modified: 2013-07-09
We run exchange 2007 and I have a user ID that I need to find out from what system or device or ip this user is sending email from. He could be using his phone, owa or even some other client. I cannot asked the user either, all back door stuff.

Any way to do this?
0
Comment
Question by:rdefino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39261015
You can enable journaling to record all messages flowing in and out of your organization. Exchange 2007 provides two Journaling options:

Standard journaling  - Standard journaling enables the Journaling agent in Exchange 2007 to journal all messages sent to and from recipients and senders that are located on a specific mailbox database on a computer running the Mailbox server role. Standard journaling is also called per-mailbox database journaling.

Premium journaling  - Premium journaling enables the Journaling agent in Exchange 2007 to use rules that you can configure to match the specific needs of your organization. You can create journal rules for a single mailbox recipient or for entire groups within your organization. Premium journaling is also called per-recipient journaling.

You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling
0
 

Author Comment

by:rdefino
ID: 39261084
We do have journaling enabled.

So how with that do I find this info out?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39261117
Ok. You will need to setup a journaling mailbox (where the journal report will get delivered), turn on the journaling agent and lastly setup a journaling rule.

The journal report will contain the original email (sent by user being monitored) as an attachment.


MS Technet does an excelllent job of walking one through all the setup and things to consider here:  http://technet.microsoft.com/en-us/library/bb124382%28v=exchg.80%29.aspx
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1000 total points
ID: 39262204
I don't think journaling is going to provide the information that you need.
You need to get the IP address logged for Outlook:
http://support.microsoft.com/kb/2292750
For anything web based (ActiveSync, OWA etc) then IIS logs are your friend here, but you will need to adjust the logging settings to include the username.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262601
It is my understanding that Exchange 2007 supports envelope journaling. With envelope journaling, the original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains the sender e-mail address, subject, message-ID, and recipient e-mail addresses contained within the original message.
The attached original message should contain the message and message header containing IP addresses and SMTP transport information.

http://technet.microsoft.com/en-us/library/aa998649%28v=exchg.80%29.aspx
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262644
Exchange team blog : Interception and Redirection of Messages Using Transport Rules or Journaling
http://blogs.technet.com/b/exchange/archive/2010/01/28/3409250.aspx

Attaching a copy of the original message to the journal report ensures that the original headers and properties of the message are maintained, as opposed to a message copied by transport rules where some headers will be stripped and properties transformed on delivery.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39262685
That is correct.
However if this is an INTERNAL user then there will be no IP address in the header to show where the email address originated from.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262737
Good point. However, correct me if I am wrong (rdefino), but I am assuming this user is not internal since you are trying to figure out how and where this person is connecting from.
0
 

Author Comment

by:rdefino
ID: 39262834
user is internal. We just need to find out what device he is sending email from.
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 1000 total points
ID: 39263185
Sembee2 is right. IIS logging with username will be your friend to find an internal user login.

Another option would be to run Wireshark and filter traffic to from your Exchange server. that would show you everything.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question