RE: Tracking down anonymous user

["Murda Mcloud" <murdamcloud () bigpond com>]

Whoa! 15 people know the password? Change the password and setup a unique
account for each person that needs that access.

No header info in the email? When you say that, what exactly do you mean?
If you right click the message in the inbox and go to Options you'll see the
Internet Headers.
This may give you some interesting info(or maybe it has been tampered with).
Sometimes you can even get the PC name from this.

Which account was used to send the email? You're using Exchange-where do the
email files get stored?


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of mikef () everfast com
Sent: Wednesday, December 27, 2006 7:07 AM
To: security-basics () securityfocus com
Subject: Tracking down anonymous user

I'm trying to track down an internal user who is sending email under a
different user account to hide his/her identity. 
Scenario:
I have a domain user account that about 15 people know the password to.
Someone logged on using this account and sent a message to a manager and
because of the content of the message I'm 100% certain that it's an internal
user; not someone spoofing. As a matter of fact it's definitely someone in
the IT department.
Is there a way to track down what computer (IP address) was used to send the
messages? 
The incident occurred a couple of days ago so I'm hoping I can still track
down the user. I'm using exchange server 2003.

I've check the exchange log files, SMTP files from my SQL servers, and
checked the recipient header (there was no header info), but I'm not getting
anywhere. If I can't get them this time what can I do to catch them the next
time.