Re: RE: Tracking down anonymous user

[christopherkelley () hotmail com]

I think that everyone here is missing the fact that if this is an internal user in an exchange environment (unless you 
have a weird setup), the message should never reach the SMTP engine, so looking in the SMTP logs will be fruitless 
(provided it _is_ an internal user). The same goes for tying to view the message header information. Exchange handles 
internal email differently, especially in a single-server environment, so if there is a header, chances are it will be 
meaningless.

Also, because it is a separate user account, looking in sent items/outboxes will also be a waste of time.

So... The first thing that I would do is to change the password on this account and evaluate the need for its 
existence. If it is just a shared email address that is needed, that is possible to set up without having a domain user 
account (and exchange will log access to the inbox in case it happens again). Create the mailbox in exchange and give 
each person the necessary permissions to the inbox. The exchange server will wonderfully log by username all access to 
this mailbox, in the event that something like this happens again.

If the account exists to share access to resources, consider giving the people access to those resources without having 
another account to blur the audit trail. 

As far as finding out who did it, I'm not really sure. The beauty of having individual accounts really shines here. 
Audit trails and individual accountability are key. But, you may want to look in the audit logs of your domain 
controllers for logons and logoffs about the time the message was sent. It's been a while since I have looked at Domain 
Controller Audit logs, but you may be able to see the workstation that the person was using to login, which may tell 
you who did it.

Be very careful how you approach the next step, because if you don't cross your Ts and dot your Is, your legal recourse 
will be thrown away (I'm going to assume that you/your company will want to fire/punish this person). If you don't 
conduct your investigation properly, any evidence that you may collect may not be usable against this person. Depending 
on how far you and your company wish to take this, I'd recommend hiring a computer forensic specialist to conduct the 
investigation (that is, unless, of course, you have the necessary tools and skills on hand to do a proper job).

Sorry for the long post. Hope this helps all.