How to detect if someone has really sent a message? (Full Version)

All Forums >> [Microsoft Exchange 2000] >> Server Security



Message


luisrato -> How to detect if someone has really sent a message? (10.Jul.2003 4:01:00 PM)

Greeting everyone,

I would like to know if someone can help with the following:

In my exchange organization I have configured my SMTP security access for anonymous access, basic and windows authentication. We have a lot of unix servers that need to contact this exchange server and so the configuration was set like this.

The main problem was that someone has sent a message with some XXX JPEG to a distribution list with all Domain contacts. So our CEO didn't like it too much, and he wants to know how it happens.

With anonymous access, anyone can make a telnet to the server and send an email in the name of someone, even a tool like unabomber or kaboom does that. I checked message tracking and see that the message has the Display name of the user in the "sent from" field. If the message was sent from any tool like kaboom, unabomber or by telnet with an anonymous access in the "sent from" field would be the alias and not the Display name. So I can get the conclusion that the mail was sent from the user mailbox.

The user from that the email was sent, says that it was not him who sent the email message, and he want know if there is any way to prove or detect who did it.

There is any way to associate a message to the user IP address or something like that?
Wich tools can let me monitor or audit this type of actions?
What are the best ways to prevent this?

Best regards.




DaDougInc -> RE: How to detect if someone has really sent a message? (14.Jul.2003 9:47:00 PM)

Easy to see:
1) Look at the sent items / deleted items / recover deleted items on the users mailbox.
If its not there, maybe it was never him.

2) Look at the Internet header of the message to see if it came from an outside IP address (View -> Options)
If you see a foriegn IP or domain, it was an outside source.

3) If you have message tracking enabled - use that!

4) Router, firewall, smtp protocol, or other log files that keep track of this are helpful!

5) Set the SMTP Virtual Server to Perform Reverse DNS lookup (Delivery Tab -> Advanced)
This will put more info in the Internet Header!

6) ResolveP2 - http://support.microsoft.com/support/kb/articles/q288/6/35.asp




Page: [1]