hi all, I have a user who is saying he did not send an email but excange message tracking is saying he did send the email. message tracking is saying userA@company.com sent an email to userB@companyB.com at 11:39am on Tuesday morning. However like i said above the user is refusing to admit he has sent the email. message tracking is also saying userB@companyA.com sent an email to userB@companyB.com at 11:39am on Tuesday morning. However this user did indeed send the email. Is there any way i can see which device sent the email which userA is saying he did not send? Thanks

What Exchange version?[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

its exchange 2007

The first event recorded for the email should be a Receive event, and have a source of either Storedriver or SMTP. If it is Storedriver, then the message was sent from an Exchange client (Outlook or OWA). If it is SMTP it was sent through a POP or IMAP client, or was relayed via SMTP. There may be more information available in the message headers if it was SMTP. If it was an Exchange client the headers will be sparse.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

correct, the first event is a receive event and the source is Storedriver, then after the receive event is a send event with a source of SMTP. How can this be concluded? Does this mean the user DID send the email from Outlook?

If he didn't send it, someone else in your organization with SendAs or full rights to his mailbox did. [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

thank you very much

it is also possible to use command line to send email thru smtp gateway having a copy of the email with mail header will tell you a lot of story inside :)

It is possible, but if that's what happened, then the Recive event for this email would have a source of SMTP, not Storedriver. [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Thu, 16 Aug 2012 10:40:47 +0000, mjolinor wrote: >The first event recorded for the email should be a Receive event, Nope. It should be a SUBMIT event if it didn't come from a SMTP client. Check the message tracking logs on the MAILBOX server first. >and have a source of either Storedriver or SMTP. If it is Storedriver, then the message was sent from an Exchange client (Outlook or OWA). If it is SMTP it was sent through a POP or IMAP client, or was relayed via SMTP. I believe it's also possible to use EWS and place a message directly into a mailbox folder with no trace in the message tracling log. I doubt that the case here, though. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I always use the hub transport logs. Can you have a Submit event on the mailbox server without having a corresponding Receive/Storedriver event on the hub server (assuming communications are alll working)?[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

I believe it's also possible to use EWS and place a message directly into a mailbox folder with no trace in the message tracling log. I doubt that the case here, though. :-) That would produce the inverse of what we've got here. An email with no evidence of being sent or received in the logs. here we have tracking logs showing the email being sent and delivered, but the sender claiming they never sent it.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Fri, 17 Aug 2012 02:11:46 +0000, mjolinor wrote: >I always use the hub transport logs. Can you have a Submit event on the mailbox server without having a corresponding Receive/Storedriver event on the hub server (assuming communications are alll working)? Not if things are working. :-) But if you have multiple HT servers where do you go to start looking? If you start the search on the (presumed) sender's mailbox server you can select the SUBMIT event that matches the criteria (if there is one) and then follow that to the HT server that handled the message (and then maybe to the next HT server, etc.). --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Fri, 17 Aug 2012 02:19:46 +0000, mjolinor wrote: >I believe it's also possible to use EWS and place a message directly into a mailbox folder with no trace in the message tracling log. I doubt that the case here, though. :-) >That would produce the inverse of what we've got here. An email with no evidence of being sent or received in the logs. Correct. Just making note that tracking logs aren't always an absolute proof of delivery. ;-) >here we have tracking logs showing the email being sent and delivered, but the sender claiming they never sent it. Depending on the nature of the message in question, I'm always suspicious of the sender. It may be something as simple as them leaving their machine unattended and someone having a bit of "fun" with them. If the prankster isn't careful (or if it's really the mailbox owner trying to cover their tracks) the message will still be recoverable from the dumpster or maybe an "archive PST". --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I've also got multiple mailbox servers in a DAG, so I'm still going to have to potentially interrogate multiple machines before I find where the message track started.[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Fri, 17 Aug 2012 15:47:49 +0000, mjolinor wrote: >I've also got multiple mailbox servers in a DAG, so I'm still going to have to potentially interrogate multiple machines before I find where the message track started. Isn't HA fun? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Not sure if this is helpful, but I have had situations like this, and they turned out being that a user account was compromised, and OWA was used to send SPAM/viruses. I ended up tracking this down via ISA logs (if you have ISA :) ). I also did research in the users mailbox by looking through deleted items, so if you have a dumpster long enough you could use that as well. Clearly a message was sent, and received. So identifying where it came from is key. Also if this yields nothing, suggest the user change passwords, and make sure they aren't leaving their workstation unattended :)

>Isn't HA fun? It's an interesting arrangement of levers and pulleys. I'll quit there. I usually start message tracking at the hub servers, because most of ad-hoc message tracking I do is for smtp email. Most of the time you get a forwarded copy of an email to trace, so there's no headers and it's a crapshoot. I've learned to bet on it being smtp, and the first place it will show up is a hub server. YMMV [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

On Sat, 18 Aug 2012 03:37:05 +0000, mjolinor wrote: >>Isn't HA fun? > >It's an interesting arrangement of levers and pulleys. I'll quit there. > > > >I usually start message tracking at the hub servers, because most of ad-hoc message tracking I do is for smtp email. I admit that I do too, unless it's an "I never sent that" situation. >Most of the time you get a forwarded copy of an email to trace, so there's no headers and it's a crapshoot. I usually request the original message as an attachment. If they don't have the original then it's usually just too bad for them. >I've learned to bet on it being smtp, and the first place it will show up is a hub server. >YMMV No kidding? :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP