Trace origin of an e-mail?

[Hack&Lube]

Here's a weird one for the CP IT hive mind. Someone higher up in the company sent an e-mail to every employee last week through the all company distribution group but claims they never did so and is asking that it be tracked down. Nobody else has access permissions to their mailbox.

I suspect they sent it accidentally but I cannot find any way to source the originating PC or mobile device. All the Exchange tracking logs from the Powershell command "Get-MessageTrackingLog" only go as far as the original CAS/HUB server that received the e-mail.

Does anybody know of a way I can track down where this e-mail originated? It will have to have come from Outlook on a workstation, a personal mobile device connected to Active Sync, or via the web over OWA. Any ideas? I'm all Googled out!

[sclitheroe]

I suspect you're SOL - I hate these kinds of requests, the logging detail levels needed are prohibitive, and almost never enabled prior to the request.

The big issue is MAPI logging - I don't know of any way to log IP's of MAPI clients, which would make it hard to know what is happening with Outlook users.

[Rathji]

A couple things you might be able to try, but almost no chance of doing more than eliminating one or two of the possible devices you listed.

OWA will have an information log entry for the login event.
Devices connected via Active Sync show up in OWA. Even then, if someone did it on purpose, they would be able to remove it.

All really pointless though, as it won't prove anything.

Scott's right, the only way you are going to get close to a solid answer on this is by having an unreal level of logs, which if you had, you probably wouldn't be asking here.

[Hack&Lube]

Quote:

Originally Posted by fotze

What was the email pertaining to?

I'm sure you got it and for everybody else...no, it was not about Fotze's mom.

[MelBridgeman]

Do the message headers contain the originating ip address?

[TurnedTheCorner]

Take away this executive's PC and Blackberry, and give them a white board to write their thoughts on like they had lost their ability to speak. And make them write everything in the character of J. Jonah Jameson.

[psicodude]

Yeah, pretty much impossible. Unless you are using something like an F5 box to handle your external connections, you won't get an IP. Even then, you are probably only going to get a Telus or Shaw IP, and they won't give you the time of day.

Is the user dumb enough to keep his sent items?

[jammies]

If nobody has access to his mailbox, then whoever sent it had to either have his login info and password, or he left a device he'd logged in on accessible. Either way, you are responsible for securing your account, so whether he sent it or not is moot, really.

Is he claiming he wasn't even on the network at the time the message was sent? It should be easy enough to check the event log on his machine and see if he was logged in, or vpn'd in, or whatever, depending on whether or not it is expedient to find out if he is the kind of liar who over-elaborates his lie in the hopes of making it more convincing. But it's probably not a good idea if he's management.

[Hack&Lube]

Quote:

Originally Posted by MelBridgeman

Do the message headers contain the originating ip address?

No they do not. Headers from internal users do not have this information.

[Hack&Lube]

Quote:

Originally Posted by psicodude

Yeah, pretty much impossible. Unless you are using something like an F5 box to handle your external connections, you won't get an IP. Even then, you are probably only going to get a Telus or Shaw IP, and they won't give you the time of day.

Is the user dumb enough to keep his sent items?

We do have an F5 load balancer although I've never touched it. I asked the networking guys about that but they don't have that level of information and I have to keep digging at the app layer. Even determining if it was sent externally via mobile or webmail would be something rather than just saying: "we don't know but we think you actually did it by mistake".

[Rathji]

Would it be possible to determine if it was possibly originated from a mobile device by the format of the email? ie text vs html/rtf, or different signature?. Still doesn't prove anything, but gives some indicators.

[psicodude]

Our F5 logs all connections, including IP's, so I am sure you could find it with enough effort. Like I said, however, you will probably just end up with an IP from an ISP.

[Rathji]

If it was sent internally, it likely never left the local network, and as such wouldn't necessarily show in the F5 logs. I guess that depends on network topology though.

[psicodude]

Nope, you are 100% correct. F5 will only help if it was sent from OWA or Activesync, and if the correct logging level is set.

[sclitheroe]

Quote:

Originally Posted by psicodude

Nope, you are 100% correct. F5 will only help if it was sent from OWA or Activesync, and if the correct logging level is set.

Even with that level of logging, I'm not sure how much information about the activity undertaken by a client is revealed through the HTTP requests - it's not like sending an email via OWA is a simple HTTP POST, with the title of the email in the URL.

[Hack&Lube]

Our F5 LTM just provides dumb routing for load balancing. No logging information kept unfortunately.