Solved

Need to find out from what ip an email is being sent from

Posted on 2013-06-19
10
303 Views
Last Modified: 2013-07-09
We run exchange 2007 and I have a user ID that I need to find out from what system or device or ip this user is sending email from. He could be using his phone, owa or even some other client. I cannot asked the user either, all back door stuff.

Any way to do this?
0
Comment
Question by:rdefino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39261015
You can enable journaling to record all messages flowing in and out of your organization. Exchange 2007 provides two Journaling options:

Standard journaling  - Standard journaling enables the Journaling agent in Exchange 2007 to journal all messages sent to and from recipients and senders that are located on a specific mailbox database on a computer running the Mailbox server role. Standard journaling is also called per-mailbox database journaling.

Premium journaling  - Premium journaling enables the Journaling agent in Exchange 2007 to use rules that you can configure to match the specific needs of your organization. You can create journal rules for a single mailbox recipient or for entire groups within your organization. Premium journaling is also called per-recipient journaling.

You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling
0
 

Author Comment

by:rdefino
ID: 39261084
We do have journaling enabled.

So how with that do I find this info out?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39261117
Ok. You will need to setup a journaling mailbox (where the journal report will get delivered), turn on the journaling agent and lastly setup a journaling rule.

The journal report will contain the original email (sent by user being monitored) as an attachment.


MS Technet does an excelllent job of walking one through all the setup and things to consider here:  http://technet.microsoft.com/en-us/library/bb124382%28v=exchg.80%29.aspx
0
Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 39262204
I don't think journaling is going to provide the information that you need.
You need to get the IP address logged for Outlook:
http://support.microsoft.com/kb/2292750
For anything web based (ActiveSync, OWA etc) then IIS logs are your friend here, but you will need to adjust the logging settings to include the username.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262601
It is my understanding that Exchange 2007 supports envelope journaling. With envelope journaling, the original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains the sender e-mail address, subject, message-ID, and recipient e-mail addresses contained within the original message.
The attached original message should contain the message and message header containing IP addresses and SMTP transport information.

http://technet.microsoft.com/en-us/library/aa998649%28v=exchg.80%29.aspx
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262644
Exchange team blog : Interception and Redirection of Messages Using Transport Rules or Journaling
http://blogs.technet.com/b/exchange/archive/2010/01/28/3409250.aspx

Attaching a copy of the original message to the journal report ensures that the original headers and properties of the message are maintained, as opposed to a message copied by transport rules where some headers will be stripped and properties transformed on delivery.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39262685
That is correct.
However if this is an INTERNAL user then there will be no IP address in the header to show where the email address originated from.

Simon.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39262737
Good point. However, correct me if I am wrong (rdefino), but I am assuming this user is not internal since you are trying to figure out how and where this person is connecting from.
0
 

Author Comment

by:rdefino
ID: 39262834
user is internal. We just need to find out what device he is sending email from.
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 250 total points
ID: 39263185
Sembee2 is right. IIS logging with username will be your friend to find an internal user login.

Another option would be to run Wireshark and filter traffic to from your Exchange server. that would show you everything.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domain on O365 6 45
How to expand the inbox sub folders outlook 2016 1 46
exchange, owa 4 43
script to trace the email in Office365 4 43
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question