Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trackdown user

Status
Not open for further replies.
igolo

igolo

IS-IT--Management
Jan 16, 2002
63
US
I trying to track down a user who is logging on as different user to send anonymous messages.
Scenerio:
I have a domain user account that about 15 people know the password to. someone logged on using this account and sent a message to someone in a different department. because of the content of the message I'm 100% certain that it's an internal user; not someone spoofing.
Is there a way to track down what computer (IP address) was used to log on as this user?
The incident happened a couple of days ago so I'm hoping I still track down the user. I'm using exchange server 2003.
 
Sort by date Sort by votes
Unless your auditing the account I suspect no. IF you are audting (auditing the accounts login/logout) it is normally stored in the DC Event Viewer under Security.

 
Upvote 0 Downvote
Thanks I checked but the log stops at the Dec 19 and it happened on the 18th. But now i where to go.
 
Upvote 0 Downvote
Was it a Windows Message, or something else like IM or email? You may have an opportunity to look through the server application logs for an address.

You may also want to start backing up the security event logs. If it happened once and they got away with it, it will likely happen again. At least you would be prepared for next time.


pansophic
 
Upvote 0 Downvote
It was sent through our exchange server.
I'm backing up the logs now.
 
Upvote 0 Downvote
Upvote 0 Downvote
i checked the log files however they aren't taking anywhere. It looks like the person that did this stripped out the headers.
 
Upvote 0 Downvote
Did you check the mail header on the received email? It should have the source IP address in the header, and there shouldn't be any way for the sender to have stripped them.


pansophic
 
Upvote 0 Downvote
When I click on options nothing is displayed under Internet options and when I clic on properties all i get is message ID.
I starting to think the person created a text message and sent it SQL server. If the message was sent via an application like SQL mail would it still have all the header info?
 
Upvote 0 Downvote
If it is truly an email message, then there will always be mail headers.

Try following these instructions on the original message. The forwarded message will have different headers.


I hate that Outlook tries to hide the headers.

SQL wouldn't know what to do with the message, but it could possibly pass the message to the Exchange server, but then the mail headers would just show the SQL server as the source of the message.


pansophic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid
Modem80
  • Locked
  • Question
Novice SonicOS user, need routing help
Replies
2
Views
101
Modem80
Modem80
mcdermottmb
  • Locked
  • Question
Intermittent loss of SSL connection forcing user to re-login
Replies
0
Views
66
mcdermottmb
mcdermottmb
Roopesh05
  • Locked
  • Question
soniwall facebook access for one user except all user
Replies
0
Views
42
Roopesh05
Roopesh05
Deepseadata
  • Locked
  • Question
Limit a local user to 500mb per day?
Replies
2
Views
75
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top