Re: Tracking down anonymous user

["Mat Benwell" <mjbenny1 () gmail com>]

Hi Mike,
Obviously it can be legitimate for there to be a shared user account
passwords, in particular service accounts, but they should not be
allowed the right to log on to the local machine as a user (logon as a
service, yes). If they need to log on to the machine then you would
want to be able to audit their actions so they should use individual
accounts

As it is an internal email there is no need for any message transfer
between systems so this would be why there is little info in the
headers. There will be no reference to SMTP as exchange will not use
it unless it is sending outside the local exchange environment (it can
use smtp to transfer between sites in the an organization) and by
default the exchange client will not use smtp either.

I would assume that the email was sent from the mailbox that was
created when the user account was created. In which case, I agree with
intel96, the only way you will be able to track it down is through
audit log's to see which workstation the account logged on to or
possibly through message tracking if you happened to have it turned on
before the message was sent.

Even with this info it will be difficult to prove beyond doubt who
sent the email

Cheers
Mat


intel96 wrote:
My 2 cents:

Did you check your Microsoft Windows security event logs to see who was
login with that account when the e-mail was sent?

Did the user send the message through Outlook? If so, have you checked

everyones outbox?

Did the user use the web interface for Outlook, if so did you check the
IIS logs for that day?

My advice concerning this issue is NOT to share passwords for a domain
user account!!



mikef () everfast com wrote:


I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity.
Scenario:
I have a domain user account that about 15 people know the password
to. Someone logged on using this account and sent a message to a
manager and because of the content of the message I'm 100% certain
that it's an internal user; not someone spoofing. As a matter of fact
it's definitely someone in the IT department.

Is there a way to track down what computer (IP address) was used to
send the messages?
The incident occurred a couple of days ago so I'm hoping I can still
track down the user. I'm using exchange server 2003.


I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not
getting anywhere. If I can't get them this time what can I do to catch
them the next time.