Announcement

Collapse
No announcement yet.

who sent that email ?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • who sent that email ?

    Ok, at one of our clients, an email was sent today at 11:48am. This also occured a week ago, at a very similar time.

    However, the sender definitely did not send it - it's not in her sent-items, and It's also not in the sent-items of any of the two users I can find identified as having either full access, or send-as access to the mailbox.

    The message tracking centre shows it being sent by the user.
    The SMTP log does not have enough detail in it for me to work out where it came from.

    Is there any way I can track down who sent the email, without manually opening every single mailbox though OWA and checking sent-items?

    I've looked at the message headers also, and it doesn't give me an originating IP or anything. It's a 2003/SBS environment if that helps
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: who sent that email ?

    What did the message header of the sent mail shows, normaly it should have information about the host which sent the mail orginally (even if altered it should have some information to start with).

    Comment


    • #3
      Re: who sent that email ?

      it shows the following:

      X-MimeOLE: Produced By Microsoft Exchange V6.5
      Content-Class: urn:content-classes:message
      MIME-Version: 1.0
      Subject: A questionable email
      Date: Tue, 23 Nov 2010 11:48:29 +0000
      Message-ID: <[email protected] .somewhere.local>
      X-MS-Has-Attach:
      X-MS-TNEF-Correlator:
      Thread-Topic: 60 second elevator pitch
      Thread-Index: AcuFv07GS6oDye8tRq+Acrah3iVeGQ==
      From: "Jasmine Whitbread" <[email protected]>
      To: "Everybody" <[email protected]>,

      Content-Type: multipart/alternative;
      boundary="----_=_NextPart_003_01CB8B04.58C85B1F"
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: who sent that email ?

        Hi,

        just wondering if it's a complete message header. who is the receipient--internal / external, is the email sent as an attachment ..
        Thanks & Regards
        v-2nas

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect
        Blog: http://www.exchadtech.blogspot.com

        Show your appreciation for my help by giving reputation points

        Comment


        • #5
          Re: who sent that email ?

          that email was sent to me as an attachment, does that make a difference?

          It was sent to both internal and external users, via a distribution list.

          I'll logon remotely and check the headers

          on the email client it was actually delivered to, there's no headers
          Last edited by tehcamel; 23rd November 2010, 17:46.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: who sent that email ?

            If there are no headers, then it was sent internally.
            It can only be sent via an ACCOUNT with send as permissions.
            However unless you had audit logging turned up high enough, you wouldn't know which account sent it, and the IP address of the client is not recorded by Exchange.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: who sent that email ?

              Could Relays play a part?

              If the account is on the allow list for Relay they would not have to login to send the email.

              Hobie

              Comment


              • #8
                Re: who sent that email ?

                Hi,

                So user says he or she didn't send out the email to the DL.

                Message Tracking log shows that the email is sent out by the user. if it's on behalf of the user then user will be in the tracking logs "From Field"

                If you search for the message using msgid on the first mailbox server what does tracking log shows.

                if diagnostic logging is enabled on msexchangeis, catergorizer...
                Thanks & Regards
                v-2nas

                MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                Sr. Wintel Eng. (Investment Bank)
                Independent IT Consultant and Architect
                Blog: http://www.exchadtech.blogspot.com

                Show your appreciation for my help by giving reputation points

                Comment


                • #9
                  Re: who sent that email ?

                  Originally posted by Hobie View Post
                  Could Relays play a part?

                  If the account is on the allow list for Relay they would not have to login to send the email.

                  Hobie
                  Yes... that could also be one of the situation then smtp logs will capture the ip address
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment


                  • #10
                    Re: who sent that email ?

                    If the email was relayed through SMTP, then it would have more on the header than has been posted. Furthermore, it is IP address that allows unauthenticated relaying, not account. If you are doing account based realying, then login is still required and would be in the event viewer, if the events go back that far.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: who sent that email ?

                      thank you all for your feedback - I don't beleive it was relayed through SMTP - I think it came from the info store somehow.

                      Unfortunately, diagnostic logging at this site is very low - I know in my old job, I could see every time someone sent-on-behalf-of etc, but not here

                      at least, not retroactivelly
                      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                      Comment

                      Working...
                      X