• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 67
  • Last Modified:

Find the source IP of an e-mail

Hi,

Is there any way to find the IP of the original client that sent an internal e-mail?

- In IIS I can see the connected clients but you cannot see which clients send e-mail.

- In the message tracking logs / transport logs I can find the e-mail but depending on the setup I see only the IP address of the Exchange server or the ARR load balancer (weirdly enough???) in the "Original-client-IP" field.

Does anyone know another option? I have looked but haven't found anything though Mailbox Audit Logging looks promising.
0
Jozef Woo
Asked:
Jozef Woo
2 Solutions
 
SeanSystem EngineerCommented:
The source IP will be in the message header. Depending on your mail client there are different ways of viewing it but that's the best way to find it.
0
 
Scott CSenior Systems EnginerCommented:
Easiest way to look at the header is to use the MS Connectivity Analyzer.

https://testconnectivity.microsoft.com/

Go to the Message Analyzer tab and drop in the header info.
0
 
Jozef WooSystem EngineerAuthor Commented:
Hi, thanks for the help. Maybe I didn't phrase my question right. The message header will not show the IP address of the original client computer sending the e-mail but rather it will show the IP address from the sending server.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Mohammad Ishtyaq KhatriCommented:
In C:\inetpub\logs\LogFiles you will find the IIS logs. Search for the SamAccountname in the log for the user who sent the email. You should probably see the IP of the client they used to connect  along with the type of client they used to connect with exchange service. Lastly, Try to match the time stamp with the IIS logs and the time of the email received should help lead towards the clue. You might have to look into multiple servers IIS logs to find the appropriate result.

Note: If the IP assigned to the client were dynamic during the occurrence of the incident and if they change it due to renewal of the lease of the IP. That might not give you the exact result.

This is all I can think of right now :)
0
 
Jozef WooSystem EngineerAuthor Commented:
Hi Mohammad, that's a good idea indeed and it is the closest to an answer I've gotten until now :-)

In the mean time I've been checking the message tracking (for the original client IP specifically) in multiple Exchange environments and I have the following cases:

- In one Exchange environment I see only the Exchange server IP addresses in that field

- In another environment I see only the IP addresses of the ARR load balancer in that field

- In my lab environment I do see the IP address of the computer that sent the e-mail!



I'm stumped as to why these differences appear! They are all Exchange 2016 environments.
0
 
Mohammad Ishtyaq KhatriCommented:
Do you have a CAS arrary? May be that could be the reason why.
0
 
Jozef WooSystem EngineerAuthor Commented:
I am sending the e-mails via Exchange 2016. I do have Exchange 2010 in my lab environment and there is a CAS Array defined but is that related?
0
 
Jozef WooSystem EngineerAuthor Commented:
I have found a module called ARR Helper which converts the "X-Forwarded-For" header to the Client IP address so that the loggings on Exchange now show the correct source IP address!
0
 
Jozef WooSystem EngineerAuthor Commented:
I have found a module called ARR Helper which converts the "X-Forwarded-For" header (which is used by the load balancer) to the Client IP address so that the loggings on Exchange now show the correct source IP address!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now