Email tracking

We have a case where someone had their user account accessed and an Email was sent from their account. I want to know if there is a way to be able to see from the Exchange server, who else the Email was sent to?
raffie613Asked:
Who is Participating?
 
stu29Commented:
If you did not already have this enabled, then this will not assist in your situation as you would be enabling after the fact.

Can you access the user in question's email account via webmail? If so, find the message in question and you would be able to see who else it was sent to there.
0
 
stu29Commented:
You should find all the information you need in the message tracking center in your Exchange Manager

http://www.msexchange.org/articles-tutorials/exchange-server-2003/monitoring-operations/Exchange-2003-Message-Tracking-Logging.html
0
 
jmcgOwnerCommented:
Remember that email headers can be faked, so an email that appears to be from someone's account may have been sent from elsewhere.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
raffie613Author Commented:
Tried enabling this but getting access denied errors. I added the domain users to the permissions on the tracking folder.
0
 
raffie613Author Commented:
Tried the webmail. nothing there in saved mail. Looks like they deleted it.
0
 
stu29Commented:
What is your retention policy for deleted items? Could you try to restore from backup?
0
 
raffie613Author Commented:
I am not sure that finding the sent message would matter unless there is a way to find out what ip address it was sent from. Is there a way without the tracking enabled to do that?

Thanks.
0
 
jmcgOwnerCommented:
The IP address from which the email was sent should be recorded in the Received: headers.
0
 
raffie613Author Commented:
where are the received headers found? Again, tracking was NOT enabled in exchange server. And the sent message was deleted right away from the users sent mail folder..

Thanks
0
 
jmcgOwnerCommented:
You would want to look at the message as seen by the recipient. This is Outlook/Exchange we're talking about, so viewing the internet headers is not something most users seek to do. I also seem to recall that they are not typically forwarded when a user forwards you a message to complain about it. So you need to do this from the recipient's account:

View the Internet header information for an email message

The message about forged headers is appropriate, a malicious sender could forge some headers to try to obscure where the message originated from. You have to walk back through the Received: headers to see which ones you should trust and the earliest trustworthy one should give you the IP address from which the suspect message entered a legitimate email server.
0
 
raffie613Author Commented:
This was a message that was forwarded to an unwanted recipient.  So where on the recipients forwarded message would I be able to see an ip address?  I see who it was sent from. The sender email was from an internal user but it was unauthorized and apparently sent via webmail using his account.
0
 
jmcgOwnerCommented:
As I said, the original internet headers on a forwarded message are usually not included when the message is forwarded by Outlook. You need the cooperation of the original recipient to see them.

And it's still possible that the originating address was forged, so -- without being able to analyze the headers -- you can't know for sure that the listed sender was the actual sender.

If this message is important enough to engage in legal action, and you've caught it soon enough, it may be possible to subpoena the transmission records from intermediate mail service providers, but that will require expert legal assistance. So far, though, from what you've described, you only have a basis for suspicion, based on evidence that can be easily spoofed. Absence of "sent mail" is not really a basis for concluding that the message was deleted by the listed sender, it could just mean that the message was forged and was never in the "sent mail" to begin with. Without more solid evidence, it would be wrong to take action against the purported sender. I assume that -- because you are looking for traces in the mail's history -- that the contents of the message do not unambiguously tie it to the alleged sender.
0
 
raffie613Author Commented:
I am in Controll of the original sender and who it was forwarded to. Both are users on the internal server. Someone clearly deleted the sent message and the recipient onky has the from email address of the other internal user.
0
 
jmcgOwnerCommented:
Well, looking back once again at the original question, I think the conclusion should be that you don't have a way to discover, unless someone comes forward with more evidence, who else the message may have been sent to.

That information could have been captured in the Exchange logs if Exchange had been configured to track it, but at the time the message was sent it was not.

Information about Bcc: recipients is recorded in the Sent Messages copy, which you don't have, but is never included in the recipients' copies.

It sounds like you're stuck.
0
 
raffie613Author Commented:
Just wanted to make sure I checked every possible option.

Thanks again for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.