RE: Tracking down anonymous user

["tima soni" <tima.soni () gmail com>]

Hi Mike,

You may try to add another layer of authentication where in a user supplies
his/ her credentials before accessing any shared resource. We have this
implemented in our environment...

Passwords should never be shared. So you should also work on defining and
implementing a policy where in you can question the accountability of any
user using any account. Every user accessing any asset with in your
organization should have his/ her own unique user ID. 

Regards

Tima

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of mikef () everfast com
Sent: Wednesday, December 27, 2006 2:37 AM
To: security-basics () securityfocus com
Subject: Tracking down anonymous user

I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity. 
Scenario:
I have a domain user account that about 15 people know the password to.
Someone logged on using this account and sent a message to a manager and
because of the content of the message I'm 100% certain that it's an internal
user; not someone spoofing. As a matter of fact it's definitely someone in
the IT department.
Is there a way to track down what computer (IP address) was used to send the
messages? 
The incident occurred a couple of days ago so I'm hoping I can still track
down the user. I'm using exchange server 2003.

I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not getting
anywhere. If I can't get them this time what can I do to catch them the next
time.