RE: Tracking down anonymous user

["Mike Erne" <MikeE () NetSurant com>]

Open the e-mail and under the view menu, select options.  It will show
you where and how it got to the manager.

Thanks,
 
Mike Erne
SOC Analyst 1
INX, Inc.
Phone: 541-349-2769
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of mikef () everfast com
Sent: Tuesday, December 26, 2006 1:07 PM
To: security-basics () securityfocus com
Subject: Tracking down anonymous user

I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity. 
Scenario:
I have a domain user account that about 15 people know the password to.
Someone logged on using this account and sent a message to a manager and
because of the content of the message I'm 100% certain that it's an
internal user; not someone spoofing. As a matter of fact it's definitely
someone in the IT department.
Is there a way to track down what computer (IP address) was used to send
the messages? 
The incident occurred a couple of days ago so I'm hoping I can still
track down the user. I'm using exchange server 2003.

I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not
getting anywhere. If I can't get them this time what can I do to catch
them the next time.