What would be IP address of Email send on LAN

By wild_star ·
Management has asked me to trace the source machine or IP from which the email was send.
- i have Exchange 2003 and the sender & Recepiant are within the network so it has become difficult for me to trace the sender
i have tried looking at the Security Log but the Logs are configured to be overwritten everyday and Email to be traced is a week old.
- can the Email be traced from Antispam server even if its not a SPAM.

Help me out guys

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

That's what I don't like about Outlook/Exchange

by TobiF In reply to What would be IP address ...

It messes around with your headers and don't document the trace the normal way.

I guess this could be a wake-up to adjust your parameters for the log files...

Regarding Antispam, since it's possible that all messages are checked, you should definitely dig into the logs of that platform to see if you're lucky.

Collapse -

Message Properties

by Mehul Bhai In reply to What would be IP address ...

If you are using Microsoft Outlook, Outlook Express or Windows Live Mail as E-Mail Client in your organization then follow the following steps:
1) Right-Click on the mail and select Properties OR Open the mail and select File/Properties from the Menu
2) Select the "Details" Tab and Click on the "Message Source" Button.
Presto you will have details. This will open the e-mail in Notepad style in Full ASCII Text. Go through the Details in it.
Also see my other reply to your other post:**54&messageID=3395753&tag=content;leftCol

Collapse -


by oldbaritone In reply to What would be IP address ...

Is the Exchange server available to the outside WAN? For example, can sales, marketing and executives check their email from outside the network? If so, the sender's ID may have been "spoofed" - some outsider pretending to be a legitimate user to use the email system to send SPAM. A lot depends on the security settings of your exchange server.

Getting the source IP may be difficult, because if the message came in from outside, the IP may have been replaced (translated) as it passed through a NAT router. It's also possible to "spoof" source IP and MAC addresses too. Even if you can find it, do you use DHCP, and do you have records of the DHCP lease at that time? If you're lucky, you may be able to trace the MAC address back through ARP and find the machine. But everything you trace back may be bogus and "spoofed."

Are your security logs saved in a daily backup process? Maybe it's not too late to save the archived copy? Can you restore it to an alternate location and check it?

And my last "plug" - this is another reason to consider using "DHCP with reservations." It's a little more work to create all of the reservations, but in a situation like this, it's MUCH easier to track down a culprit because the IP addresses are essentially static, determined by the reservation rather than randomly assigned.

You've already learned: the geek on TV who resolves a message from message to IP address to physical location in a matter of seconds exists only on TV.

In the real world, it's much more difficult.

Good luck.

Collapse -

Yes I concur with the above Poster

by OH Smeg Moderator In reply to What would be IP address ...

I would be very careful here to point the finger as it's quite possible that this correspondence didn't originate from within the system.

You may be blaming the wrong person and leave yourself libel for something. If not legally Libel there will be a lot of Bad Feelings created. If there is any possibility of Dismissal involved here you may very well be held accountable by the affected persons Legal Team.

The only way you can be sure that this didn't come in from outside is if there is no Outside Connection and that just doesn't happen these days if it ever did on business networks.


Related Discussions

Related Forums