Re: Tracking down anonymous user

if this is still a Covert operation on your part and the emails are
still being sent, try a packet logger on the exchange server.

Something as simple as Wireshark could work.
If you can manage to span the port for the exchange server, you could
use one of the many linux security distros and and sniff some
intersting traffic including SMTP.

my $0.02

On 26 Dec 2006 21:07:08 -0000, mikef <at> everfast.com <mikef <at> everfast.com> wrote:
> I'm trying to track down an internal user who is sending email under a different user account to hide
his/her identity.
> Scenario:
> I have a domain user account that about 15 people know the password to. Someone logged on using this account
and sent a message to a manager and because of the content of the message I'm 100% certain that it's an
internal user; not someone spoofing. As a matter of fact it's definitely someone in the IT department.
> Is there a way to track down what computer (IP address) was used to send the messages?
> The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange
server 2003.
>
> I've check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there
was no header info), but I'm not getting anywhere. If I can't get them this time what can I do to catch them the
next time.
>
>

--

-- 
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke