Find the source IP of an e-mail
Hi,
Is there any way to find the IP of the original client that sent an internal e-mail?
- In IIS I can see the connected clients but you cannot see which clients send e-mail.
- In the message tracking logs / transport logs I can find the e-mail but depending on the setup I see only the IP address of the Exchange server or the ARR load balancer (weirdly enough???) in the "Original-client-IP" field.
Does anyone know another option? I have looked but haven't found anything though Mailbox Audit Logging looks promising.
Is there any way to find the IP of the original client that sent an internal e-mail?
- In IIS I can see the connected clients but you cannot see which clients send e-mail.
- In the message tracking logs / transport logs I can find the e-mail but depending on the setup I see only the IP address of the Exchange server or the ARR load balancer (weirdly enough???) in the "Original-client-IP" field.
Does anyone know another option? I have looked but haven't found anything though Mailbox Audit Logging looks promising.
Sean
The source IP will be in the message header. Depending on your mail client there are different ways of viewing it but that's the best way to find it.
Easiest way to look at the header is to use the MS Connectivity Analyzer.
https://testconnectivity.microsoft.com/
Go to the Message Analyzer tab and drop in the header info.
https://testconnectivity.microsoft.com/
Go to the Message Analyzer tab and drop in the header info.
ASKER
Hi, thanks for the help. Maybe I didn't phrase my question right. The message header will not show the IP address of the original client computer sending the e-mail but rather it will show the IP address from the sending server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Mohammad, that's a good idea indeed and it is the closest to an answer I've gotten until now :-)
In the mean time I've been checking the message tracking (for the original client IP specifically) in multiple Exchange environments and I have the following cases:
- In one Exchange environment I see only the Exchange server IP addresses in that field
- In another environment I see only the IP addresses of the ARR load balancer in that field
- In my lab environment I do see the IP address of the computer that sent the e-mail!
I'm stumped as to why these differences appear! They are all Exchange 2016 environments.
In the mean time I've been checking the message tracking (for the original client IP specifically) in multiple Exchange environments and I have the following cases:
- In one Exchange environment I see only the Exchange server IP addresses in that field
- In another environment I see only the IP addresses of the ARR load balancer in that field
- In my lab environment I do see the IP address of the computer that sent the e-mail!
I'm stumped as to why these differences appear! They are all Exchange 2016 environments.
Do you have a CAS arrary? May be that could be the reason why.
ASKER
I am sending the e-mails via Exchange 2016. I do have Exchange 2010 in my lab environment and there is a CAS Array defined but is that related?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have found a module called ARR Helper which converts the "X-Forwarded-For" header (which is used by the load balancer) to the Client IP address so that the loggings on Exchange now show the correct source IP address!