• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to detect if someone has really sent a message?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2000] >> Server Security >> How to detect if someone has really sent a message? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to detect if someone has really sent a message? - 10.Jul.2003 4:01:00 PM   
luisrato

 

Posts: 2
Joined: 26.Oct.2002
From: Portugal
Status: offline
Greeting everyone,

I would like to know if someone can help with the following:

In my exchange organization I have configured my SMTP security access for anonymous access, basic and windows authentication. We have a lot of unix servers that need to contact this exchange server and so the configuration was set like this.

The main problem was that someone has sent a message with some XXX JPEG to a distribution list with all Domain contacts. So our CEO didn't like it too much, and he wants to know how it happens.

With anonymous access, anyone can make a telnet to the server and send an email in the name of someone, even a tool like unabomber or kaboom does that. I checked message tracking and see that the message has the Display name of the user in the "sent from" field. If the message was sent from any tool like kaboom, unabomber or by telnet with an anonymous access in the "sent from" field would be the alias and not the Display name. So I can get the conclusion that the mail was sent from the user mailbox.

The user from that the email was sent, says that it was not him who sent the email message, and he want know if there is any way to prove or detect who did it.

There is any way to associate a message to the user IP address or something like that?
Wich tools can let me monitor or audit this type of actions?
What are the best ways to prevent this?

Best regards.
Post #: 1
RE: How to detect if someone has really sent a message? - 14.Jul.2003 9:47:00 PM   
DaDougInc

 

Posts: 845
Joined: 17.May2002
From: NC
Status: offline
Easy to see:
1) Look at the sent items / deleted items / recover deleted items on the users mailbox.
If its not there, maybe it was never him.

2) Look at the Internet header of the message to see if it came from an outside IP address (View -> Options)
If you see a foriegn IP or domain, it was an outside source.

3) If you have message tracking enabled - use that!

4) Router, firewall, smtp protocol, or other log files that keep track of this are helpful!

5) Set the SMTP Virtual Server to Perform Reverse DNS lookup (Delivery Tab -> Advanced)
This will put more info in the Internet Header!

6) ResolveP2 - http://support.microsoft.com/support/kb/articles/q288/6/35.asp

(in reply to luisrato)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2000] >> Server Security >> How to detect if someone has really sent a message? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter