Security Basics mailing list archives
RE: Tracking down anonymous user
From: "Tom Geairn" <tgeairn () newviewconsulting com>
Date: Tue, 2 Jan 2007 15:37:27 -0600
Although all comments so far have probably gone a long way to figuring this out, you could take a different approach. Often we find it useful to determine (to the best of our ability) how the message *could* have been sent, then narrow things from there. For a user with valid credentials or "send as" permissions to send an email in Exchange, there are five (really only four) ways: 1. MAPI - This is Outlook or your client of choice. No headers of value will be produced, and the only tracking will be if message tracking is enabled (and even then you will not learn anything other than what you know). 2. SMTP - Either from outside or using default ability to relay from internally. This would show up in your SMTP log(s), but an IT user may have the ability to remove those entries anyway. 3. Outlook Web Access - It's easy for a savvy user to browse to http://mailserver/exchange/generic_account and send an email. Logging is similar to #1, BUT you will have http logs showing client IP, etc. Depending on your config you may even get the logged-in user name from the HTTP log. 4 & 5. IMAP/POP. These use SMTP for sending (see notes in #2), but a really sneaky user could drop a message into the recipient's inbox if they have credentials to access that inbox. Given that you've checked SMTP logs, and have presumably checked security logs for the box containing those logs, #s 2,4,5 are out (or at least useless to you). #1 and #3 are your only bets. Since it will take a large effort to turn a message id into anything other than the sending mailbox, #1 is effectively out as well. If you have OWA enabled, check your HTTP logs. If you don't have any luck there, then all you can do is work to prevent this from happening again (or invest in a forensic examination). -Tom Geairn NewView Consulting, LLC On 26 Dec 2006 21:07:08 -0000, mikef () everfast com <mikef () everfast com> wrote:
I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity.
Scenario: I have a domain user account that about 15 people know the password
to. Someone logged on using this account and sent a message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not someone spoofing. As a matter of fact it's definitely someone in the IT department.
Is there a way to track down what computer (IP address) was used to
send the messages?
The incident occurred a couple of days ago so I'm hoping I can still
track down the user. I'm using exchange server 2003.
I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not getting anywhere. If I can't get them this time what can I do to catch them the next time.
Current thread:
- RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
- RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
- RE: Tracking down anonymous user Gressick, Michael (Jan 02)
- Re: Re: Re: Tracking down anonymous user christopherkelley (Jan 04)