Re: Re: Tracking down anonymous user

This is correct. Internal emails do often show no headers, for example when SMTP is not used to transmit email between two servers. Are these two users on the same email server, and do users typically use protocols other than SMTP, such as POP3 or IMAP, to send outbound emails from the mail client to the server? If so, then there won't be any SMTP headers.

How exactly do you know this account was used to send this email? I hope you're not relying on the "FROM:" field, as this can easily be forged. Someone on your internal network can use Telnet or drop a text file onto your Exchange server to send an email with a spoofed From: field.

It is possible to enable more detailed "Diagnostic Logging" to track email sent and received via protocols other than SMTP, but I'm not sure this is enabled by default. Your Exchange server documentation should have more details on the log file location and default logging levels for whatever protocols were used to transmit this email from the client and between mail servers if any. I had trouble googling Microsoft for a description of "Diagnostic Logging" for all Exchange 2003 protocols, but here's how to change the level for POP3 connections:

http://support.microsoft.com/kb/885685

Presumably either you haven't discovered where on the server these log files are kept, or the server wasn't logging that data at the time this email was sent, and the logged information would not be retrievable that way. You'd then have to hope a log file on another system captured the incident, such as a workstation, domain controller, IDS, etc.

kind regards,

Karl Levinson
http://securityadmin.info