How to find what IP a user is accessing Exchange from remotly?

I have a user that has left the company, but due to an employee contract he has e-mail access until the end of the year. The problem is that whatever computer he is using is probably infected with some kind of botnet.

Every night his e-mail sends out about 30 e-mails in German with trojan attachments. GFI has blocked all of these e-mails, but since I have no access to the computer he may be using at his new job, I cannot ensure those computers are clean. I need to find out what IP this is coming from. Is there a way to do this? If I find out it is the IP of his new company, I can shut down access until that computer has been cleaned.
j_crow1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam FarageEnterprise ArchCommented:
You should be able to find the source of the email in the message tracking logs:

Get-TransportServer | Get-MessageTrackingLog -MessageSubject "enter Trojan message subject here" | Select Timestamp, {$_.Recipients}, Sender, SenderIP, ClientHostname | Export-CSV C:\Log.csv

Open in new window


From there make the table in Excel, and then search for the client IP that is not an Exchange server.
0
j_crow1Author Commented:
It is not displaying an IP address, but it does display a client host name...how accurate is this?
0
Adam FarageEnterprise ArchCommented:
The ClientHostname should be accurate, but I am surprised you are not getting a client address. Most likely coming from someones mailbox or an open relay.

Do you see the sender address and can you log into that mailbox?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

j_crow1Author Commented:
Yes, but those items are not in his sent folder. I do not have an open relay...where else should I check for where this could be coming from?
0
Adam FarageEnterprise ArchCommented:
Its most likely his mailbox, but using a raw MAPI connection on his machine.

Try disabling MAPI connectivity to the mailbox and see if that works for you (Set-CASMailbox username@company.com -MapiEnabled:$FALSE)

It will disable his outlook access (along with any other MAPI access) but it should help figure out if it his client machine or not.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
j_crow1Author Commented:
I will try that tonight and see if those e-mails get sent out.
0
Adam FarageEnterprise ArchCommented:
Any luck?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.