RE: Tracking down anonymous user

["Gressick, Michael" <mgressick () cybersource com>]

Since you say you see no headers, the message must have been submitted
via an Exchange client. (Outlook, or OWA) Headers would be generated
even if an internal user telneted to the SMTP port on the Exchange box.

Have you checked the security event log on the Exchange server in
question? You should be able to determine where that specific user
account logged in from when that message was sent. If you can't find it,
check the event log on the OWA server (if it exists) or as a last
resort, on all other Domain Controllers (since in theory any of them
could have authenticated the user).  I do hope you have enabled auditing
for account logon events...

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of mikef () everfast com
Sent: Tuesday, December 26, 2006 1:07 PM
To: security-basics () securityfocus com
Subject: Tracking down anonymous user

I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity. 
Scenario:
I have a domain user account that about 15 people know the password to.
Someone logged on using this account and sent a message to a manager and
because of the content of the message I'm 100% certain that it's an
internal user; not someone spoofing. As a matter of fact it's definitely
someone in the IT department.
Is there a way to track down what computer (IP address) was used to send
the messages? 
The incident occurred a couple of days ago so I'm hoping I can still
track down the user. I'm using exchange server 2003.

I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not
getting anywhere. If I can't get them this time what can I do to catch
them the next time.