Re: Tracking down anonymous user

My 2 cents:

Did you check your Microsoft Windows security event logs to see who was
login with that account when the e-mail was sent?

Did the user send the message through Outlook? If so, have you checked
everyones outbox?

Did the user use the web interface for Outlook, if so did you check the
IIS logs for that day?

My advice concerning this issue is NOT to share passwords for a domain
user account!!


mikef@everfast.com wrote:
> I’m trying to track down an internal user who is sending email under a 
> different user account to hide his/her identity. 
> Scenario:
> I have a domain user account that about 15 people know the password to. 
> Someone logged on using this account and sent a message to a manager and 
> because of the content of the message I'm 100% certain that it's an internal 
> user; not someone spoofing. As a matter of fact it’s definitely someone in 
> the IT department.
> Is there a way to track down what computer (IP address) was used to send the 
> messages? 
> The incident occurred a couple of days ago so I'm hoping I can still track 
> down the user. I'm using exchange server 2003.
>
> I’ve check the exchange log files, SMTP files from my SQL servers, and 
> checked the recipient header (there was no header info), but I’m not getting 
> anywhere. If I can’t get them this time what can I do to catch them the next 
> time.
>
>