Hi We're running Exchange 2007 SP2, Outlook 2007 SP2 clients. Yesterday, the CEO received an email from an internal address and we want to trace where it came from. He'd like to know: i. Source IP address of the email (i.e. the client that sent it) ii. Confirm that the sender really was the sender and it wasn't spoofed iii. Confirm client that sent it (Outlook, application, virus/spam etc) I have the message-id of the email from the CEO's Outlook, so can run get-messagetrackinglog, but it only shows me the: i. Client= Exchange mailbox server that sent the mail ii. Shows sender as Sender and Return Address - does this prove that the Sender did indeed send the mail iii. No info on client type that sent the mail Any ideas?

You can't track IP from mapi submitted messages. MAPI submitted messages are and assume it was authenticated by the user and submitted directly to the store driver. If you suspect that someone may have spoofed a message from a MAPI submitted message, then the user either has send as rights to the user's mailbox or walked over to his machine and sent the messsage, he has a virus on his Outlook etc.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi James Sure, but what if submitted a message to the Hub Transport via SMTP command, for instance? Or are we saying that if the message is in the Hub Transport logs and shows the source as an Exchange mailbox server, then this can't be the result of spam/virus, and has to be a user submitting the message via MAPI?

Correct, or if you do message tracking on the message and it says submitted by store driver then it was a mapi submission.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Hi Pancamo, You could try to use Exchange Server User Monitor to get the client IP and version. Download the tool from here, http://www.microsoft.com/downloads/en/details.aspx?familyid=9A49C22E-E0C7-4B7C-ACEF-729D48AF7BC9&displaylang=en Meanwhile, you can run Get-LogonStatistics cmdlet retrieves logon information about sessions that are currently active. You can export the result to a file for a further analysis. Please see, http://technet.microsoft.com/en-us/library/bb124415(EXCHG.80).aspx And more information: http://technet.microsoft.com/en-us/library/bb508855(EXCHG.65).aspx http://www.msexchange.org/tutorials/Microsoft-Exchange-Server-User-Monitor.html (this is for Exchange 2003, but I think it will help you and give you guidance) Best regards, SerenaPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Serena I'm trying to find the client IP address of an email that was sent, not a user?