Is it possible to trace a sent outbound email back to the origin?

email exchange spam
10,941

Solution 1

Without a copy of the e-mail with the original headers, this will be nearly impossible to trace. If you had the headers, you could see the "Received" headers and follow the path back to the origin pretty quickly. Without the usual information, your best bet is to look at the Exchange Server logs for the approximate time in question to see who was sending mail. If you have some sort of message audit logging then you could look there to see if any "spammy" messages came from a particular user.

Solution 2

How do you even know this message came through your exchange server? If there was malware installed on a workstation and you don't block outbound SMTP, then the malware could be making SMTP connections directly and not touching your Exchange server. You could also have a mis-configured proxy or something else that is being used as a relay.

In my opinion outgoing SMTP should be blocked at the perimeter from everything except your mail servers. If you aren't already blocking SMTP and you don't have any logging setup, then you really can't prove anything. Any computer in the network could have made a SMTP connection to the server.

If you are really worried about this happening again, then you could also setup logging on your perimeter device to log at least the first packet of any port 25 communication.

Email is so easy to forge. It is also entirely possible that you got blocked as spam and the the message didn't originate from your network at all. Perhaps some naive system admin assumed that some of the SMTP headers where valid when in-fact they where forged.

Solution 3

Since you know about when it was sent you might be able to find some information in the Message Tracking Log. It would also be helpful to know what domain it was sent to.

You can find the location of the log in your Exchange server settings.

For Exchange 2007, look under Server Configuration and get Properties on your Exchange server. Then check the Log Settings tab and see if your Message Tracking Log is enabled. If so this will tell you where it is stored.

For Exchange 2003, You also get Properties on your Exchange server, but this time it should be under the General tab.

Once you find the logs, you should be able to open the log for the time you suspect and see what the activity on your server was at the time.

Solution 4

You could write a script to check every Send items folders for each mailbox in exchange...

You could use CDOEX which is a COM interface to exchange.

CDOEX is used in applications that use messaging to send and process e-mail, calendar, and contact information, as well as allowing programmatic access to mailbox and public folders. Note that CDOEX can only be run from a computer on which Exchange has been installed.

Using a VB script a system administrator could check all those folders.

But the programmer in you might prefer C#, therefore you could use the OLE DB interface ExOLEDB to Exchange. Microsoft even has a example which uses ADO.

Applications that use ExOLEDB typically access information from the Exchange store by using SQL queries. ExOLEDB can be used to retrieve and manipulate all types of data in the Exchange store that the user has permission to access. ExOLEDB also provides full-text search capability over items in the Exchange store.

So enough options I guess.

Share:
10,941
Gavin Miller
Author by

Gavin Miller

Updated on September 17, 2022

Comments

  • Gavin Miller
    Gavin Miller almost 2 years

    So here's the situation. An email was sent from a computer within our organization yesterday and we were subsequently marked as spam because of it. We don't know who sent it. We don't know when it was sent (but have an approximate time) and therefore don't have a copy of the e-mail. And we don't know how to track it back.

    I'm a programmer and so IT is not my domain, but the programmer in me screams that there's got to be a way to trace this back to the origin. We're running on MS Exchange.

    Is it possible to trace this e-mail back to the sender? And how can we do it?!

    • Eddie
      Eddie about 15 years
      This is probably one reason that many companies archive every single Email sent and received. Other than this, searching the "Sent" folder of employee mailboxes is probably your best choice, as someone suggested.
  • Gavin Miller
    Gavin Miller about 15 years
    I actually disagree - our employee policy is such that the company "owns" anything on the computers and/or server.
  • Justin Scott
    Justin Scott about 15 years
    Unfortunately they don't have a copy of the original message.
  • Misha Narinsky
    Misha Narinsky about 15 years
    @Justin: you're right... skimmed through the question. That a though one.
  • squillman
    squillman about 15 years
    That goes south in a hurry if someone doesn't have Save a Copy of My Sent Items selected or if they purge their sent items.
  • Davy Landman
    Davy Landman about 15 years
    @LFSR & @vartex I removed the ethical question. It does however depend on the country/company.
  • Davy Landman
    Davy Landman about 15 years
    @squillman: Correct, but if the server didn't store the messages itself, that would be the only place they might be stored. But it wouldn't be a complete solution.
  • Gavin Miller
    Gavin Miller about 15 years
    We've gone pretty south as is...
  • Gavin Miller
    Gavin Miller about 15 years
    You hit the nail on the head there Zoredache. We don't know whether it originated out of exchange. However it looks like it may have, but then we can't be 100% sure even if we did find a piece of mail that that piece was the culprit. The only servers that are allowed out on SMTP is the exchange server, everything else is as you say blocked. It's a bloody needle in a haystack!
  • Gavin Miller
    Gavin Miller about 15 years
    I've been scanning the logs. And there's a couple of suspect items that we're tracking down. I have a leg up on the IT guys because I know how to write a regex! :P

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how to avoid email header Received: from unknown and email going to spam
PermError SPF Permanent Error: Too many DNS lookup
PHP - Send email from other domain without being spam!
sending mail with php & escaping hotmails junk folder
Fake Bounce Spam Emails in Gmail - Are These Really That Fake?
Gmail is marking my emails as SPAM - Please help
How to avoid getting spam through a website?
My website's email is being marked as spam, how do I analyse a X-CNFS-Analysis email header?
Way to list "Contact Us" email address on web site, yet reduce likelihood of spam?
How can I find out if my domain has been added to email blacklists?