Depending also on the client/servers you are running, there may be other
ways to check this. The netscape server we were using at my previous
job kept logs as to which IP address had sent a specific message. Since
it was an unix SMTP server it's very cofigurable and verbose in
information it keeps. This log was configurable in every way including
retention so we could maintain email logs for months. This would allow
us to see which computer the email originated from and allowed us to
track internal spammers very well. I'm not familiar with Exchange, so I
don't know what logging level it has. Since you are talking about
sending MAPI messages, it's safe to assume that you are using a Windows
client. What's unclear is the server in question. I've found that
tracking a particular message through servers is fairly easy providing
a) they're your servers, and b) you've set up appropriate logging.

If you're trying to trace emails on your own network, this may be enough
for you. Other than that, you may not have too much luck in tracing
things outside your own sphere of control much beyond the header
information. ISP's tend to be protective(with good reason) about their
mail logs should they even keep any.

Header information is quite useful howeever. Here's a sample from the
header of an email my mom sent me.

Received: (qmail 21654 invoked by uid 0); 27 Feb 2002 19:19:07 -0000
Received: from tomts21.bellnexxia.net (HELO tomts21-srv.bellnexxia.net) (209.226.175.183)
  by mx0.gmx.net (mx025-rz3) with SMTP; 27 Feb 2002 19:19:07 -0000
Received: from SUDCAWIN98U1 ([64.230.67.93])
          by tomts21-srv.bellnexxia.net
          (InterMail vM.4.01.03.23 201-229-121-123-20010418) with SMTP
          id <20020227191849.FGAY785.tomts21-srv.bellnexxia.netSUDCAWIN98U1>
          for <albertlederergmx.de>; Wed, 27 Feb 2002 14:18:49 -0500
Message-ID: <005201c1bfdc$75951760$0264a8c0SUDCAWIN98U1>

As you can see, there's a hole lot of information there. Note that the
received tags appear in reverse chronological order. The third
'Received' tag is the most interesting as it lists my mom's PC's
hostname and IP address(I altered it a bit for safety). This is
interesting because it lists the IP address/hostname of the computer
that orgininally sent the message. What's also interesting is that the
Message-ID tag also contains the hostname of the originating computer.
 As you can see, the entire path of the email from my mom's PC to my
ISP's email server is traced and tagged. As far as I remember, there's
a reason for all this too. If a server fails somewhere along the way,
it uses this information to send a failure notification back to you.

Of course, a router with NAT will hide the IP address and a hostname is
easy enough to change.

I hope this helps in your endeavors.

Albert

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]