[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Need to find out from what ip an email is being sent from

We run exchange 2007 and I have a user ID that I need to find out from what system or device or ip this user is sending email from. He could be using his phone, owa or even some other client. I cannot asked the user either, all back door stuff.

Any way to do this?
0
rdefino
Asked:
rdefino
  • 6
  • 2
  • 2
2 Solutions
 
Ugo MenaCommented:
You can enable journaling to record all messages flowing in and out of your organization. Exchange 2007 provides two Journaling options:

Standard journaling  - Standard journaling enables the Journaling agent in Exchange 2007 to journal all messages sent to and from recipients and senders that are located on a specific mailbox database on a computer running the Mailbox server role. Standard journaling is also called per-mailbox database journaling.

Premium journaling  - Premium journaling enables the Journaling agent in Exchange 2007 to use rules that you can configure to match the specific needs of your organization. You can create journal rules for a single mailbox recipient or for entire groups within your organization. Premium journaling is also called per-recipient journaling.

You must have an Exchange Enterprise Client Access License (CAL) to use premium journaling
0
 
rdefinoAuthor Commented:
We do have journaling enabled.

So how with that do I find this info out?
0
 
Ugo MenaCommented:
Ok. You will need to setup a journaling mailbox (where the journal report will get delivered), turn on the journaling agent and lastly setup a journaling rule.

The journal report will contain the original email (sent by user being monitored) as an attachment.


MS Technet does an excelllent job of walking one through all the setup and things to consider here:  http://technet.microsoft.com/en-us/library/bb124382%28v=exchg.80%29.aspx
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Simon Butler (Sembee)ConsultantCommented:
I don't think journaling is going to provide the information that you need.
You need to get the IP address logged for Outlook:
http://support.microsoft.com/kb/2292750
For anything web based (ActiveSync, OWA etc) then IIS logs are your friend here, but you will need to adjust the logging settings to include the username.

Simon.
0
 
Ugo MenaCommented:
It is my understanding that Exchange 2007 supports envelope journaling. With envelope journaling, the original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains the sender e-mail address, subject, message-ID, and recipient e-mail addresses contained within the original message.
The attached original message should contain the message and message header containing IP addresses and SMTP transport information.

http://technet.microsoft.com/en-us/library/aa998649%28v=exchg.80%29.aspx
0
 
Ugo MenaCommented:
Exchange team blog : Interception and Redirection of Messages Using Transport Rules or Journaling
http://blogs.technet.com/b/exchange/archive/2010/01/28/3409250.aspx

Attaching a copy of the original message to the journal report ensures that the original headers and properties of the message are maintained, as opposed to a message copied by transport rules where some headers will be stripped and properties transformed on delivery.
0
 
Simon Butler (Sembee)ConsultantCommented:
That is correct.
However if this is an INTERNAL user then there will be no IP address in the header to show where the email address originated from.

Simon.
0
 
Ugo MenaCommented:
Good point. However, correct me if I am wrong (rdefino), but I am assuming this user is not internal since you are trying to figure out how and where this person is connecting from.
0
 
rdefinoAuthor Commented:
user is internal. We just need to find out what device he is sending email from.
0
 
Ugo MenaCommented:
Sembee2 is right. IIS logging with username will be your friend to find an internal user login.

Another option would be to run Wireshark and filter traffic to from your Exchange server. that would show you everything.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 6
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now