Email tracking

You should find all the information you need in the message tracking center in your Exchange Manager

http://www.msexchange.org/articles-tutorials/exchange-server-2003/monitoring-operations/Exchange-2003-Message-Tracking-Logging.html

Remember that email headers can be faked, so an email that appears to be from someone's account may have been sent from elsewhere.

Tried enabling this but getting access denied errors. I added the domain users to the permissions on the tracking folder.

Tried the webmail. nothing there in saved mail. Looks like they deleted it.

What is your retention policy for deleted items? Could you try to restore from backup?

I am not sure that finding the sent message would matter unless there is a way to find out what ip address it was sent from. Is there a way without the tracking enabled to do that?

Thanks.

The IP address from which the email was sent should be recorded in the Received: headers.

where are the received headers found? Again, tracking was NOT enabled in exchange server. And the sent message was deleted right away from the users sent mail folder..

Thanks

You would want to look at the message as seen by the recipient. This is Outlook/Exchange we're talking about, so viewing the internet headers is not something most users seek to do. I also seem to recall that they are not typically forwarded when a user forwards you a message to complain about it. So you need to do this from the recipient's account:

View the Internet header information for an email message

The message about forged headers is appropriate, a malicious sender could forge some headers to try to obscure where the message originated from. You have to walk back through the Received: headers to see which ones you should trust and the earliest trustworthy one should give you the IP address from which the suspect message entered a legitimate email server.

This was a message that was forwarded to an unwanted recipient.  So where on the recipients forwarded message would I be able to see an ip address?  I see who it was sent from. The sender email was from an internal user but it was unauthorized and apparently sent via webmail using his account.

As I said, the original internet headers on a forwarded message are usually not included when the message is forwarded by Outlook. You need the cooperation of the original recipient to see them.

And it's still possible that the originating address was forged, so -- without being able to analyze the headers -- you can't know for sure that the listed sender was the actual sender.

If this message is important enough to engage in legal action, and you've caught it soon enough, it may be possible to subpoena the transmission records from intermediate mail service providers, but that will require expert legal assistance. So far, though, from what you've described, you only have a basis for suspicion, based on evidence that can be easily spoofed. Absence of "sent mail" is not really a basis for concluding that the message was deleted by the listed sender, it could just mean that the message was forged and was never in the "sent mail" to begin with. Without more solid evidence, it would be wrong to take action against the purported sender. I assume that -- because you are looking for traces in the mail's history -- that the contents of the message do not unambiguously tie it to the alleged sender.

I am in Controll of the original sender and who it was forwarded to. Both are users on the internal server. Someone clearly deleted the sent message and the recipient onky has the from email address of the other internal user.

Well, looking back once again at the original question, I think the conclusion should be that you don't have a way to discover, unless someone comes forward with more evidence, who else the message may have been sent to.

That information could have been captured in the Exchange logs if Exchange had been configured to track it, but at the time the message was sent it was not.

Information about Bcc: recipients is recorded in the Sent Messages copy, which you don't have, but is never included in the recipients' copies.

It sounds like you're stuck.

Just wanted to make sure I checked every possible option.

Thanks again for the help.