We have an email that was sent to one of our users from another one of our users.
It was sent using Outlook 2010 and Exchange 2010. We're running a Windows 2008 R2 network.
Is there any way to see what the name or IP address of the cumpter it was sent from was? If I look in the message header it just shows up as being from our Exchange server. If I look at the message tracking logs in Exchange, it shows the same.
Or alternatively, can I see what computer the sender was logged onto at the time the email was sent?
Well depending how you set your logins up. Can't you view successful logins security log, at time/user etc?
And shouldn't your header (if viewing full version) show the IP of the computer too?
Out of curosity, does it matter what pc it was sent from, if you know their name/time etc? :P
Thanks for the reply Steve.
When viewing the header in Outlook, it just shows the IP address of the Exchange server, not the client computer the email was sent from. Similarly, when viewing the logs on the Exchange server at that time, it just shows the name of the Exchange server as having logged in.
The reason we want to know is becuase we suspect one of users has been logging on as someone else and sending emails on their behalf! If we can figure out what computer it was sent from, it will help us confirm this. It's a bit of detective work.
You can check your receive SMTP logs and they should show. Assuming you have not changed the default location.
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpRec eive
Thanks Sukh, I don't have the ProtocolLog, but I do have C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking. In there I can see that it was someone using OWA that sent the email, which is a good start.
I guess it's a case of looking at the logs in IIS next to see the IP address of who logged in?
Yes, sorry, I should have mentioned that. Loo at the IIS logs, depending on what you have set for logging, it will show you the IP (If this is set to log).
The protocol log, (on top of my head) is switched off by default or set to normal. Set to verbose and IP will be logged.
That's great, I have turned on the verbose logging now.
Many thanks for your help.