Re: Tracking down anonymous user
- From: intel96 <intel96@xxxxxxxxxxxxx>
- Date: Thu, 28 Dec 2006 09:55:17 -0500
My 2 cents:
Did you check your Microsoft Windows security event logs to see who was
login with that account when the e-mail was sent?
Did the user send the message through Outlook? If so, have you checked
everyones outbox?
Did the user use the web interface for Outlook, if so did you check the
IIS logs for that day?
My advice concerning this issue is NOT to share passwords for a domain
user account!!
mikef@xxxxxxxxxxxx wrote:
I’m trying to track down an internal user who is sending email under a different user account to hide his/her identity.
Scenario:
I have a domain user account that about 15 people know the password to. Someone logged on using this account and sent a message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not someone spoofing. As a matter of fact it’s definitely someone in the IT department.
Is there a way to track down what computer (IP address) was used to send the messages?
The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange server 2003.
I’ve check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there was no header info), but I’m not getting anywhere. If I can’t get them this time what can I do to catch them the next time.
- References:
- Tracking down anonymous user
- From: mikef
- Tracking down anonymous user
- Prev by Date: Re: Password Quality checker
- Next by Date: Re: Password Quality checker
- Previous by thread: RE: Tracking down anonymous user
- Next by thread: RE: Tracking down anonymous user
- Index(es):
Relevant Pages
|
