Find the source IP of an e-mail

Hi,

Is there any way to find the IP of the original client that sent an internal e-mail?

- In IIS I can see the connected clients but you cannot see which clients send e-mail.

- In the message tracking logs / transport logs I can find the e-mail but depending on the setup I see only the IP address of the Exchange server or the ARR load balancer (weirdly enough???) in the "Original-client-IP" field.

Does anyone know another option? I have looked but haven't found anything though Mailbox Audit Logging looks promising.
LVL 1
Jozef WooSystem EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SeanSystem EngineerCommented:
The source IP will be in the message header. Depending on your mail client there are different ways of viewing it but that's the best way to find it.
0
Scott CSenior EngineerCommented:
Easiest way to look at the header is to use the MS Connectivity Analyzer.

https://testconnectivity.microsoft.com/

Go to the Message Analyzer tab and drop in the header info.
0
Jozef WooSystem EngineerAuthor Commented:
Hi, thanks for the help. Maybe I didn't phrase my question right. The message header will not show the IP address of the original client computer sending the e-mail but rather it will show the IP address from the sending server.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mohammad Ishtyaq khatriSr. Systems EngineerCommented:
In C:\inetpub\logs\LogFiles you will find the IIS logs. Search for the SamAccountname in the log for the user who sent the email. You should probably see the IP of the client they used to connect  along with the type of client they used to connect with exchange service. Lastly, Try to match the time stamp with the IIS logs and the time of the email received should help lead towards the clue. You might have to look into multiple servers IIS logs to find the appropriate result.

Note: If the IP assigned to the client were dynamic during the occurrence of the incident and if they change it due to renewal of the lease of the IP. That might not give you the exact result.

This is all I can think of right now :)
0
Jozef WooSystem EngineerAuthor Commented:
Hi Mohammad, that's a good idea indeed and it is the closest to an answer I've gotten until now :-)

In the mean time I've been checking the message tracking (for the original client IP specifically) in multiple Exchange environments and I have the following cases:

- In one Exchange environment I see only the Exchange server IP addresses in that field

- In another environment I see only the IP addresses of the ARR load balancer in that field

- In my lab environment I do see the IP address of the computer that sent the e-mail!



I'm stumped as to why these differences appear! They are all Exchange 2016 environments.
0
Mohammad Ishtyaq khatriSr. Systems EngineerCommented:
Do you have a CAS arrary? May be that could be the reason why.
0
Jozef WooSystem EngineerAuthor Commented:
I am sending the e-mails via Exchange 2016. I do have Exchange 2010 in my lab environment and there is a CAS Array defined but is that related?
0
Jozef WooSystem EngineerAuthor Commented:
I have found a module called ARR Helper which converts the "X-Forwarded-For" header to the Client IP address so that the loggings on Exchange now show the correct source IP address!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jozef WooSystem EngineerAuthor Commented:
I have found a module called ARR Helper which converts the "X-Forwarded-For" header (which is used by the load balancer) to the Client IP address so that the loggings on Exchange now show the correct source IP address!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.