Email tracking

We have a case where someone had their user account accessed and an Email was sent from their account. I want to know if there is a way to be able to see from the Exchange server, who else the Email was sent to?
raffie613Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stu29Commented:
You should find all the information you need in the message tracking center in your Exchange Manager

http://www.msexchange.org/articles-tutorials/exchange-server-2003/monitoring-operations/Exchange-2003-Message-Tracking-Logging.html
0
jmcgOwnerCommented:
Remember that email headers can be faked, so an email that appears to be from someone's account may have been sent from elsewhere.
0
raffie613Author Commented:
Tried enabling this but getting access denied errors. I added the domain users to the permissions on the tracking folder.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

stu29Commented:
If you did not already have this enabled, then this will not assist in your situation as you would be enabling after the fact.

Can you access the user in question's email account via webmail? If so, find the message in question and you would be able to see who else it was sent to there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
raffie613Author Commented:
Tried the webmail. nothing there in saved mail. Looks like they deleted it.
0
stu29Commented:
What is your retention policy for deleted items? Could you try to restore from backup?
0
raffie613Author Commented:
I am not sure that finding the sent message would matter unless there is a way to find out what ip address it was sent from. Is there a way without the tracking enabled to do that?

Thanks.
0
jmcgOwnerCommented:
The IP address from which the email was sent should be recorded in the Received: headers.
0
raffie613Author Commented:
where are the received headers found? Again, tracking was NOT enabled in exchange server. And the sent message was deleted right away from the users sent mail folder..

Thanks
0
jmcgOwnerCommented:
You would want to look at the message as seen by the recipient. This is Outlook/Exchange we're talking about, so viewing the internet headers is not something most users seek to do. I also seem to recall that they are not typically forwarded when a user forwards you a message to complain about it. So you need to do this from the recipient's account:

View the Internet header information for an email message

The message about forged headers is appropriate, a malicious sender could forge some headers to try to obscure where the message originated from. You have to walk back through the Received: headers to see which ones you should trust and the earliest trustworthy one should give you the IP address from which the suspect message entered a legitimate email server.
0
raffie613Author Commented:
This was a message that was forwarded to an unwanted recipient.  So where on the recipients forwarded message would I be able to see an ip address?  I see who it was sent from. The sender email was from an internal user but it was unauthorized and apparently sent via webmail using his account.
0
jmcgOwnerCommented:
As I said, the original internet headers on a forwarded message are usually not included when the message is forwarded by Outlook. You need the cooperation of the original recipient to see them.

And it's still possible that the originating address was forged, so -- without being able to analyze the headers -- you can't know for sure that the listed sender was the actual sender.

If this message is important enough to engage in legal action, and you've caught it soon enough, it may be possible to subpoena the transmission records from intermediate mail service providers, but that will require expert legal assistance. So far, though, from what you've described, you only have a basis for suspicion, based on evidence that can be easily spoofed. Absence of "sent mail" is not really a basis for concluding that the message was deleted by the listed sender, it could just mean that the message was forged and was never in the "sent mail" to begin with. Without more solid evidence, it would be wrong to take action against the purported sender. I assume that -- because you are looking for traces in the mail's history -- that the contents of the message do not unambiguously tie it to the alleged sender.
0
raffie613Author Commented:
I am in Controll of the original sender and who it was forwarded to. Both are users on the internal server. Someone clearly deleted the sent message and the recipient onky has the from email address of the other internal user.
0
jmcgOwnerCommented:
Well, looking back once again at the original question, I think the conclusion should be that you don't have a way to discover, unless someone comes forward with more evidence, who else the message may have been sent to.

That information could have been captured in the Exchange logs if Exchange had been configured to track it, but at the time the message was sent it was not.

Information about Bcc: recipients is recorded in the Sent Messages copy, which you don't have, but is never included in the recipients' copies.

It sounds like you're stuck.
0
raffie613Author Commented:
Just wanted to make sure I checked every possible option.

Thanks again for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.