Is there a any logs in Exchange 2010 that give me a report on a source IP for a message in question? The reason I am asking this is because a weird email was sent by this user and he confirmed that he did not send it.
I looked at Get-MessageTracking and also used EMC tracking, but other than showing that the email was send from a certain mailbox I have not addition forensics like the source device.
I am trying to see if this came from the users Active Sync on their phone or from our system directly.
I opened the sent item in the source mailbox and saw that there was information in the Internet Header. From what I know about the Exchange servers If the Sender is on the Exchange server there should not be any information in the Internet Header. The Header information was timestamp offset of -1000 from UTC and I know for a fact that the user is in that timezone. He is on a iPhone connected via ActiveSync. All the recipients on the email were external.