Tracing Outlook/OWA senders

Massimo · Joined: 05 Aug 2007 Posts: 48

When Exchange (2003) delivers a SMTP message that has been created by a
Outlook or OWA user, the first IP address reported in the message headers is
the Exchange server's own one.

Is there any way to make it write the original client's IP address in the
message headers? If not, can this information be recovered somewhere (server
logs, IIS logs, etc.)?

I'm trying to trace a certain message back to its original sender, but the
only information I can find in the headers is the Exchange server's IP
address; of course I have the sender's address, and he must surely have been
using Outlook or OWA, so he needed to be authenticated by the domain... but
I need to trace it back to the actual computer where the message was
created; or at least make it possible to do this kind of tracing in the
future.

Can someone please help?

Massimo

Archived from group: microsoft>public>exchange>admin

Jamestechman · Joined: 05 Aug 2007 Posts: 200

If message was sent via mapi, you will not be able to track client IP.
For OWA you can check the client IP in the IIS log files.

James Chong (MVP)
MCITP | EMA; MCSE | M+, S+, Security+
msexchangetips.blogspot.com

On Feb 27, 2:01 pm, "Massimo" wrote:
> When Exchange (2003) delivers a SMTP message that has been created by a
> Outlook or OWA user, the first IP address reported in the message headers is
> the Exchange server's own one.
>
> Is there any way to make it write the original client's IP address in the
> message headers? If not, can this information be recovered somewhere (server
> logs, IIS logs, etc.)?
>
> I'm trying to trace a certain message back to its original sender, but the
> only information I can find in the headers is the Exchange server's IP
> address; of course I have the sender's address, and he must surely have been
> using Outlook or OWA, so he needed to be authenticated by the domain... but
> I need to trace it back to the actual computer where the message was
> created; or at least make it possible to do this kind of tracing in the
> future.
>
> Can someone please help?
>
> Massimo

Massimo · Joined: 05 Aug 2007 Posts: 48

"Jamestechman" ha scritto nel messaggio @v3g2000hsc.googlegroups.com...

>If message was sent via mapi, you will not be able to track client IP.

I was fearing that.
Doesn't Exchange log this kind of activity anywhere?

>For OWA you can check the client IP in the IIS log files.

Yes, but I can only find raw HTTP requests there; and the server is usually
quite busy. How can I find which ones made up the user session which
actually created that message?

Massimo

Tracing lost emails after activiating IMF Hello, for the past three months we've been running IMF on a single Exchange 2003 server relying solely on IMF to detect spam. It's been working ok to date (we scan for viruses before email gets to exchange). We've now become aware of a number of genuine

Message for senders Hello, I need to bring down the exchange server for maintenance and would like to know if there is a way of leaving a message for people who are trying to send an email to our internal users. Stating something like the server will be down please try again

NDR 5.2.3 not always sent out to External Senders Hi! I have a Exchange 2007 server with all roles except Edge. I have set message size limits on transport and connectors at 25 MB and no limits on mailboxes. If I send mail exceeding the limits inside the organization, NDR's are generated. If external sen

Blocking unknown senders How do I configure Exchange Server 2003 so that it doesn't allow just anyone on the Internet to send mail using it as an SMTP server? I only want to allow users in my domain to send mail using it. Thanks.

Limiting receipients, and senders for accounts Hello, I have several accounts that are used for a business process, and I would like to limited who is allowed to send e-mail to those mailboxes, and who those mailboxes can send e-mail to. Is that possible with Exchange 2007? Thanks.