Security Basics mailing list archives
RE: Tracking down anonymous user
From: "David A. Coursey" <dave () rootsec net>
Date: Sun, 31 Dec 2006 11:27:45 -0500
As far as I know, when you send an internal message in an Outlook/Exchange environment no message headers are stored. There will also be no entries in your SMTP logs because internal messages do not go through the SMTP server. Outlook uses a MAPI connection and exchange drops the mail directly in the recipients mailbox. Right off hand I can't think of any quick way for you to figure out who did it in the past, but others have suggested great ways to prevent this in the future. As an Exchange admin, your very first step after install is to ensure message tracking is turned on. We use group mailboxes like this as well, but make the password super secure and don't give it out. Use Exchange System Manager to give the necessary domain accounts permissions to "Read" or "Send As". If you have the blessing from the ivory tower, you can search every mailbox in the domain, specifically the Sent Items to see if anything suspicious shows up. If you do scheduled backups, you may also do a restore from the night after the message was sent, to a different server, then search that. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mikef () everfast com Sent: Tuesday, December 26, 2006 4:07 PM To: security-basics () securityfocus com Subject: Tracking down anonymous user I'm trying to track down an internal user who is sending email under a different user account to hide his/her identity. Scenario: I have a domain user account that about 15 people know the password to. Someone logged on using this account and sent a message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not someone spoofing. As a matter of fact it's definitely someone in the IT department. Is there a way to track down what computer (IP address) was used to send the messages? The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange server 2003. I've check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there was no header info), but I'm not getting anywhere. If I can't get them this time what can I do to catch them the next time.
Current thread:
- RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
- RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
- RE: Tracking down anonymous user Gressick, Michael (Jan 02)
- Re: Re: Re: Tracking down anonymous user christopherkelley (Jan 04)