RE: Tracking down anonymous user

["Tom Geairn" <tgeairn () newviewconsulting com>]

Although all comments so far have probably gone a long way to figuring
this out, you could take a different approach.

Often we find it useful to determine (to the best of our ability) how
the message *could* have been sent, then narrow things from there.

For a user with valid credentials or "send as" permissions to send an
email in Exchange, there are five (really only four) ways:

1. MAPI - This is Outlook or your client of choice.  No headers of value
will be produced, and the only tracking will be if message tracking is
enabled (and even then you will not learn anything other than what you
know).

2. SMTP - Either from outside or using default ability to relay from
internally.  This would show up in your SMTP log(s), but an IT user may
have the ability to remove those entries anyway.

3. Outlook Web Access - It's easy for a savvy user to browse to
http://mailserver/exchange/generic_account and send an email.  Logging
is similar to #1, BUT you will have http logs showing client IP, etc.
Depending on your config you may even get the logged-in user name from
the HTTP log.

4 & 5.  IMAP/POP.  These use SMTP for sending (see notes in #2), but a
really sneaky user could drop a message into the recipient's inbox if
they have credentials to access that inbox.

Given that you've checked SMTP logs, and have presumably checked
security logs for the box containing those logs, #s 2,4,5 are out (or at
least useless to you).  #1 and #3 are your only bets.  Since it will
take a large effort to turn a message id into anything other than the
sending mailbox, #1 is effectively out as well.

If you have OWA enabled, check your HTTP logs.  If you don't have any
luck there, then all you can do is work to prevent this from happening
again (or invest in a forensic examination).

-Tom Geairn
NewView Consulting, LLC




On 26 Dec 2006 21:07:08 -0000, mikef () everfast com <mikef () everfast com>
wrote:
> I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity.
> Scenario:
> I have a domain user account that about 15 people know the password
to. Someone logged on using this account and sent a message to a manager
and because of the content of the message I'm 100% certain that it's an
internal user; not someone spoofing. As a matter of fact it's definitely
someone in the IT department.
> Is there a way to track down what computer (IP address) was used to
send the messages?
> The incident occurred a couple of days ago so I'm hoping I can still
track down the user. I'm using exchange server 2003.
> I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not
getting anywhere. If I can't get them this time what can I do to catch
them the next time.
>