Re: Track down external email
- From: "Bharat Suneja [MVP]" <bharatsuneja@xxxxxxxxxxx>
- Date: Fri, 29 Sep 2006 11:13:41 -0700
If it's smtp mail, it should show you originating ip address in message
headers. In Outlook, right click message | select "Options".
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------
"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F762D6B9-49AF-4D9F-A205-47B0401A36F3@xxxxxxxxxxxxxxxx
Thanks again.
The header only shows who the email was from and who it went to. Is there
any other way with exchange or another third party software that will help
me
track down who sent the email?
"Bharat Suneja [MVP]" wrote:
Headers will give you some information. You will need access to the
mailbox - you can request the person to let you copy the header if
possible.
(For a one-time operation like getting message details for a single
message
it's not really worthwhile to make permissions changes to get access to a
mailbox, imo).
Alternatively, perhaps the recipient can send you the message as an
attachment (by dragging and dropping that particular message in a new
message - *not* by forwarding the message). This will let you access the
message with its headers in tact.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------
"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:31D9EE34-B091-4140-A5DA-C04739EA9A2D@xxxxxxxxxxxxxxxx
Thank you very much, your information has been very helpful.
How do I check the header of the email? Can you think of any other way
to
possible track this person down who sent the email without the logging?
Thanks,
Phil
"Bharat Suneja [MVP]" wrote:
correction - the option for using local dates/times is for log file
names
and rolling over logs. the timestamps in logs still use UTC.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------
"Bharat Suneja [MVP]" <bharatsuneja@xxxxxxxxxxx> wrote in message
news:OQFSjzb4GHA.3600@xxxxxxxxxxxxxxxxxxxxxxx
- Turn on SMTP logging from SMTP virtual server properties.
- I use W3C Extended Log File format.
- By default logs are saved in
%systemroot%\System32\LogFiles\SMTPSvc<1>\
(where <1> is the smtp virtual server instance number.
- The W3C format lets you choose fields that you want to log by
going
to
Properties | Advanced.
- The default selection of fields logs minimum amount of data -
including
date, time, cs-method (SMTP commands like HELO, DATA, etc.) and
sc-status
(SMTP response codes like 220, 250, 500, etc.).
Here are the fields I would select:
- Date
- Time
- c-ip (Client IP Address)
- cs-username (User Name) - the fqdn provided by sending server on
HELO
- s-sitename - SMTP virtual server instance name (e.g. SMTPSVC2)
- s-computername - (Server Name) - name of server, useful if
aggregating
logs from multiple servers into a monitoring/logging database
- s-ip - Server IP Address - useful if server has multiple IP
addresses
- s-port (Server Port) - always logs as 0 afaik, even if SMTP vs is
running on a port other than 25
- cs-method (Method) - SMTP command e.g. HELO, MAIL, RCPT, DATA,
QUIT
- cs-uri-query (URI Query) - command parameter (like
+from:foo@xxxxxxx -
gets the from, to addresses, sending server fqdn given at HELO, and
Message ID. Nothing between DATA and End of Data sequence is logged)
- sc-status (Protocol Status) - SMTP protocol response like 220,
250,
500,
et al
- sc-win32-status (Win32 Status): a numerical value
- sc-bytes (Bytes Sent): ***if you really need this info - handy at
times
for troubleshooting***
- cs-bytes (Bytes Received): ***if you really need this info - handy
at
times for troubleshooting***
- time-taken (Time Taken): ****if you really need this - numerical
value***
- cs-version (Protocol Version): SMTP
Depending on volume of traffic, it's a good idea to roll over the
log
daily - in low-volume environments this can also be done weekly or
even
monthly, or when a log file reaches a certain size, (or never -
unlimited
size - not recommended).
There's an option to use local time for logs, but it doesn't work
for
smtpsvc, afaik.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------
"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DD0199AC-5314-4536-AE07-636F4785BEF6@xxxxxxxxxxxxxxxx
Not sure exactly how to check header of email, do I need to add the
CEO's
mailbox to my outlook to be able to do this?
Also I do not have logging on for my SMTP virtual server. What are
best
settings for logging from here on out?
Thanks,
Phil
"Bharat Suneja [MVP]" wrote:
IE history most likely won't reveal this.
Check the message header and the SMTP log to figure out which IP
address
the
message originated from and whether it did in fact originate from
Yahoo.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------
"pwverber" <pwverber@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7964BA7C-F026-45BF-9B5D-8268933A4E36@xxxxxxxxxxxxxxxx
I am trying to track down an email sent from a yahoo account to
the
CEO. I
have the yahoo email address but am not sure how or if I can
track
it
down.
It may have been sent from one of our internal computers as it
was
sent at
10:00am on Monday. I am searching IE history, we have Firefox as
well
and
I
do not know where it stores its history though. Thanks in
advance.
.
- Prev by Date: Strange folder in users mailbox
- Next by Date: Re: Strange folder in users mailbox
- Previous by thread: Strange folder in users mailbox
- Next by thread: Re: Security Opinion (Needed)
- Index(es):
Relevant Pages
|
|
