How to track which IP an email came from - Exchange 2003

[indiegirl]

Any ideas? I thought it might be possible to look at the full header of the email, although it appears that apart from the standard to/cc/subject fields, I can't view anything else.

All I'm after is a method of tracking down the source IP of an (internal) email...

TIA

[Geoff]

Exchange isn't RFC compliant when generating headers. You can work round this by either:

a) make your clients use IMAP/POP3. That way full headers will be generated.

b) make your clients use webmail and use the web server logs.

[indiegirl]

There's one word for that: b*gger.

[chrisg]

You can use message tracking from System Manager, Tools to track messages sent though exchange,

If it is a message which was BCC'd this will still tell you the sender and who it went to as long as you have enabled logging on your server.

Can you not check logs for where the sender was logged on.

[indiegirl]

I think that's my only alternative. Have enabled message tracking but it appears that it'll only take effect from now, rather than pick up earlier messages (which is what I expected).

Off to do some research.... ;-)

[Geoff]

Message tracking has serious (potentially crippling) performance implications.

[indiegirl]

That was my other worry, I'll see what I can find out from it overnight, then decide whether to leave it in place or not. I suspect not...

[Geoff]

How about using a real mail server?

[Mintsoft]

Any ideas? I thought it might be possible to look at the full header of the email, although it appears that apart from the standard to/cc/subject fields, I can't view anything else.

All I'm after is a method of tracking down the source IP of an (internal) email...

TIA

can you not just open the email, file-> properties -> details ?
so you get like:

Code:

Received: from MSFWKC223 [10.133.41.34] by moorlands.staffs.sch.uk
  (SMTPD32-5.04) id AA0B3020206; Wed, 29 Mar 2006 12:05:47 +0000
Message-ID: <000801c65320$8510afc0$2229850a@MOORLANDSSIXTH.INTERNAL>
Reply-To: "itassist" <itassist@local>
From: "itassist" <itassist@local>
To: <faultdesk@local>
Subject: Printer credits
Date: Wed, 29 Mar 2006 12:04:16 +0100
Organization: Moorlands Sixthform Centre
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0005_01C65328.E6CDEBD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RCPT-TO: <faultdesk@local>
X-UIDL: 178
Status: U

or does it not generate those headers at all?

[Geoff]

or does it not generate those headers at all?

Exchange isn't an RFC compliant mail server. It only bothers to generate those headers if you post via IMAP/POP3. ie, if you force the issue.

[StewartKnight]

have you tried Right click on the email -> options -> internet headers?

[Geoff]

That doesn't work for Internal <-> Internal emails that don't leave the message store.

Those headers are only generated by the SMTP/IMAP/POP3 interfaces, as I've tried to explain.

[Mintsoft]

bloody microsoft why don't they just use the standards like NORMAL PEOPLE gaarr!

[Geoff]

Because they'd have to compete on an even playing field then.

Embrace, extend and extinguish

[DMcCoy]

I assume it just uses mapi for that and then internal would bypass any normal routes for sending messages. If you have a high use email server would you really want it to do a smtp send and recieve for every internal message? I would guess some other mail servers do the same.

Not that I like exchange, I use mdaemon at home because it doesn't mangle my messages and leaves them in a sensible format than I can import and export via imap, while keeping unmangled headers. I used to use Turnpike which is why I'm a bit picky about these things :P