Re: Tracking down anonymous user

[intel96 <intel96 () bellsouth net>]

My 2 cents:

Did you check your Microsoft Windows security event logs to see who was
login with that account when the e-mail was sent?

Did the user send the message through Outlook? If so, have you checked
everyones outbox?

Did the user use the web interface for Outlook, if so did you check the
IIS logs for that day?

My advice concerning this issue is NOT to share passwords for a domain
user account!!


mikef () everfast com wrote:
> I’m trying to track down an internal user who is sending email under a different user account to hide his/her 
> identity. 
> Scenario:
> I have a domain user account that about 15 people know the password to. Someone logged on using this account and sent 
> a message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not 
> someone spoofing. As a matter of fact it’s definitely someone in the IT department.
> Is there a way to track down what computer (IP address) was used to send the messages? 
> The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange server 
> 2003.
>
> I’ve check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there was no 
> header info), but I’m not getting anywhere. If I can’t get them this time what can I do to catch them the next time.
>
>