Security Basics mailing list archives

RE: Tracking down anonymous user

From: "David A. Coursey" <dave () rootsec net>
Date: Sun, 31 Dec 2006 11:27:45 -0500

As far as I know, when you send an internal message in an Outlook/Exchange
environment no message headers are stored.  There will also be no entries in
your SMTP logs because internal messages do not go through the SMTP server.
Outlook uses a MAPI connection and exchange drops the mail directly in the
recipients mailbox.

Right off hand I can't think of any quick way for you to figure out who did
it in the past, but others have suggested great ways to prevent this in the
future.  As an Exchange admin, your very first step after install is to
ensure message tracking is turned on.  We use group mailboxes like this as
well, but make the password super secure and don't give it out.  Use
Exchange System Manager to give the necessary domain accounts permissions to
"Read" or "Send As".

If you have the blessing from the ivory tower, you can search every mailbox
in the domain, specifically the Sent Items to see if anything suspicious
shows up.  If you do scheduled backups, you may also do a restore from the
night after the message was sent, to a different server, then search that.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of mikef () everfast com
Sent: Tuesday, December 26, 2006 4:07 PM
To: security-basics () securityfocus com
Subject: Tracking down anonymous user

I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity. 
Scenario:
I have a domain user account that about 15 people know the password to.
Someone logged on using this account and sent a message to a manager and
because of the content of the message I'm 100% certain that it's an internal
user; not someone spoofing. As a matter of fact it's definitely someone in
the IT department.
Is there a way to track down what computer (IP address) was used to send the
messages? 
The incident occurred a couple of days ago so I'm hoping I can still track
down the user. I'm using exchange server 2003.

I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not getting
anywhere. If I can't get them this time what can I do to catch them the next
time.

Current thread:

RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
  - RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
- RE: Tracking down anonymous user Gressick, Michael (Jan 02)
- Re: Re: Re: Tracking down anonymous user christopherkelley (Jan 04)