phishing emails.

gbcalvo
gbcalvo used Ask the Experts™
on
How to determine if an email account is sending phishing emails internally?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Michael PainterIT administrator Small Business Owner

Commented:
One would look at the email server logs.
How to do that really depends on what email server you use.
Like Exchange, hosted Exchange, or a pop3 or imap server.
If you have access to one of the messages, review the message headers for the source. Look for the bottom most "Received from" content in the headers. If the person is connecting to outside from internal, sending the messages back in, then this will be masked and the headers might not be helpful, but a good starting point.
If you don't have one of the phishing messages, then your only real option is to review the message server logs. As stated by Mr. Painter, this depends on the server and your access to it. For example, you have more permissions with an on premise Exchange server than you do with hosted Exchange (Office365).

Author

Commented:
Delphineous Silverwing

I see my email servers on the headers, I would like to find out how I can determine what email address this is coming from.

I dont have access to the mail server, so I cant look at the logs. are there any other ways I can pin point which email (or computer) account this is coming from?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Michael Painter,

I dont have access to the mail server, so I cant look at the logs files. are there any other ways I can pin point which email (or computer) account this is coming from?
Jackie Man IT Manager
Top Expert 2010

Commented:
I can pinpoint which email (or computer) account this is coming from? You cannot pinpoint which email account but you can find the originating IP address of the email by checking the full email header. You can send a test email from your internal account and compare the full email header with the phishing email which said that it is from the same email account.

https://mxtoolbox.com/public/content/emailheaders/

Copy the full email header from MS Outlook and paste it in a website like the one below.

https://www.iptrackeronline.com/email-header-analysis.php

Author

Commented:
Michael,

I have an Exchange server, how would I go about looking at the log files to determine which account (if any) are sending a specific email address.

Commented:
mail flow logs
Jackie Man IT Manager
Top Expert 2010

Commented:
I have an Exchange server, how would I go about looking at the log files to determine which account (if any) are sending a specific email address.

Only if you are the admin of your Exchange server, you can find the specific email address by message tracking from the words in the subject line.

If you

https://practical365.com/exchange-server/exchange-2010-message-tracking/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial