Security Basics mailing list archives
Re: Tracking down anonymous user
From: "Mat Benwell" <mjbenny1 () gmail com>
Date: Mon, 1 Jan 2007 14:01:56 +1030
Hi Mike, Obviously it can be legitimate for there to be a shared user account passwords, in particular service accounts, but they should not be allowed the right to log on to the local machine as a user (logon as a service, yes). If they need to log on to the machine then you would want to be able to audit their actions so they should use individual accounts As it is an internal email there is no need for any message transfer between systems so this would be why there is little info in the headers. There will be no reference to SMTP as exchange will not use it unless it is sending outside the local exchange environment (it can use smtp to transfer between sites in the an organization) and by default the exchange client will not use smtp either. I would assume that the email was sent from the mailbox that was created when the user account was created. In which case, I agree with intel96, the only way you will be able to track it down is through audit log's to see which workstation the account logged on to or possibly through message tracking if you happened to have it turned on before the message was sent. Even with this info it will be difficult to prove beyond doubt who sent the email Cheers Mat intel96 wrote: My 2 cents: Did you check your Microsoft Windows security event logs to see who was login with that account when the e-mail was sent? Did the user send the message through Outlook? If so, have you checked everyones outbox? Did the user use the web interface for Outlook, if so did you check the IIS logs for that day? My advice concerning this issue is NOT to share passwords for a domain user account!! mikef () everfast com wrote: I'm trying to track down an internal user who is sending email under a different user account to hide his/her identity. Scenario: I have a domain user account that about 15 people know the password to. Someone logged on using this account and sent a message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not someone spoofing. As a matter of fact it's definitely someone in the IT department. Is there a way to track down what computer (IP address) was used to send the messages? The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange server 2003. I've check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there was no header info), but I'm not getting anywhere. If I can't get them this time what can I do to catch them the next time.
Current thread:
- RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
- RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
- RE: Tracking down anonymous user Gressick, Michael (Jan 02)
- Re: Re: Re: Tracking down anonymous user christopherkelley (Jan 04)