Solved

Need to find out from what ip an email is being sent from

Posted on 2013-06-19
10
292 Views
Last Modified: 2013-07-09
We run exchange 2007 and I have a user ID that I need to find out from what system or device or ip this user is sending email from. He could be using his phone, owa or even some other client. I cannot asked the user either, all back door stuff.

Any way to do this?
0
Comment
Question by:rdefino
  • 6
  • 2
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
You can enable journaling to record all messages flowing in and out of your organization. Exchange 2007 provides two Journaling options:

Standard journaling  - Standard journaling enables the Journaling agent in Exchange 2007 to journal all messages sent to and from recipients and senders that are located on a specific mailbox database on a computer running the Mailbox server role. Standard journaling is also called per-mailbox database journaling.

Premium journaling  - Premium journaling enables the Journaling agent in Exchange 2007 to use rules that you can configure to match the specific needs of your organization. You can create journal rules for a single mailbox recipient or for entire groups within your organization. Premium journaling is also called per-recipient journaling.

You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling
0
 

Author Comment

by:rdefino
Comment Utility
We do have journaling enabled.

So how with that do I find this info out?
0
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
Ok. You will need to setup a journaling mailbox (where the journal report will get delivered), turn on the journaling agent and lastly setup a journaling rule.

The journal report will contain the original email (sent by user being monitored) as an attachment.


MS Technet does an excelllent job of walking one through all the setup and things to consider here:  http://technet.microsoft.com/en-us/library/bb124382%28v=exchg.80%29.aspx
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
Comment Utility
I don't think journaling is going to provide the information that you need.
You need to get the IP address logged for Outlook:
http://support.microsoft.com/kb/2292750
For anything web based (ActiveSync, OWA etc) then IIS logs are your friend here, but you will need to adjust the logging settings to include the username.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
It is my understanding that Exchange 2007 supports envelope journaling. With envelope journaling, the original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains the sender e-mail address, subject, message-ID, and recipient e-mail addresses contained within the original message.
The attached original message should contain the message and message header containing IP addresses and SMTP transport information.

http://technet.microsoft.com/en-us/library/aa998649%28v=exchg.80%29.aspx
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
Exchange team blog : Interception and Redirection of Messages Using Transport Rules or Journaling
http://blogs.technet.com/b/exchange/archive/2010/01/28/3409250.aspx

Attaching a copy of the original message to the journal report ensures that the original headers and properties of the message are maintained, as opposed to a message copied by transport rules where some headers will be stripped and properties transformed on delivery.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That is correct.
However if this is an INTERNAL user then there will be no IP address in the header to show where the email address originated from.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
Good point. However, correct me if I am wrong (rdefino), but I am assuming this user is not internal since you are trying to figure out how and where this person is connecting from.
0
 

Author Comment

by:rdefino
Comment Utility
user is internal. We just need to find out what device he is sending email from.
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 250 total points
Comment Utility
Sembee2 is right. IIS logging with username will be your friend to find an internal user login.

Another option would be to run Wireshark and filter traffic to from your Exchange server. that would show you everything.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now