none
how to find actual source(Device) of the email

    Question

  • I am trying to find from which application the email came. I mean it came from user mobile or user outlook or user webmail. How find this. Please help.

    Thanks

    Anudeep S

    Tuesday, April 25, 2017 11:17 AM

Answers

  • If the message was sent by SMTP, then you can look at the message headers, which should show the initiating connection.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Anudeep S Thursday, April 27, 2017 12:55 PM
    Thursday, April 27, 2017 6:44 AM
    Moderator
  • Hello Anudeep,

    To achieve your expectation, we can use message tracking log to monitor deliver process, and we can find out the client IP. However, we cannot get the client information in message tracking log.

    For example:
    PSComputerName          : lab-e2k10csht01.tailspintoys.com
    RunspaceId              : a241bdf5-c2c6-4c99-8e5a-b395faa5e67a
    Timestamp               : 4/19/2011 4:45:30 PM
    ClientIp                : fe80::89dc:2ad8:e3b:c03%13
    ClientHostname          : LAB-E2k10CSHT01
    ServerIp                : fe80::89dc:2ad8:e3b:c03%13
    ServerHostname          : LAB-E2k10CSHT01
    SourceContext           : 08CDCCED60881B31;2011-04-19T21:45:30.419Z;0
    ConnectorId             : LAB-E2K10CSHT01\Default LAB-E2K10CSHT01
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 270
    MessageId               : <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>
    Recipients              : {User1-DB01@TailSpinToys.com}
    RecipientStatus         : {}
    TotalBytes              : 4146
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : Origins of Legislation
    Sender                  : User19-DB01@TailSpinToys.com
    ReturnPath              : User19-DB01@TailSpinToys.com
    MessageInfo             : 0aI: NTS:
    MessageLatency          :
    MessageLatencyType      : None
    EventData               : {[FirstForestHop, LAB-E2K10CSHT01.TailSpinToys.com]}
    If you want to get the client information, we need check it in IIS log or RPC client access log, include client type, login type, version and etc.

    IIS log, for example:
    2017-03-28 02:33:25 fe80::cce2:b193:1b07:74f7%12 POST /owa/auth.owa &CorrelationID=<empty>;&cafeReqId=af09dd09-ada4-461d-8cd5-8d70860021af;&encoding=; 443 
    contoso\three fe80::cce2:b193:1b07:74f7%12 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 
    https://exc2016.contoso.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fexc2016.contoso.com%2fowa%2f 302 0 0 31
    RPC client Access Log, for example:
    2017-03-28T03:16:17.456Z,2131,1,/o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae25789565b477f9abd43c5940c8f5b-test16,,
    OUTLOOK.EXE,14.0.6025.1000,Classic,192.168.0.51,,,ncacn_http,Client=MSExchangeRPC,97ba2552-352e-420c-a8fc-75fb789b5b73|ff2ecc61-9378-45a6-aa57-91c010db1757,"""{E0AA311E-7A89-4693-ADB1-22DB4E703E5E}""",
    OwnerLogon,0,00:00:00.1870000,"Logon: Owner, /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae25789565b477f9abd43c5940c8f5b-test16 in 
    database 89e656e8-05c3-41f8-813b-4de95004dfe2 last mounted on EXC2016.contoso.com; 
    LogonId: 0",,,,test16@contoso.com,,

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Anudeep S Thursday, April 27, 2017 12:55 PM
    Thursday, April 27, 2017 11:43 AM
    Moderator
  • Hello Anudeep ,

    In addition to all the suggestions , Please do a message tracking and search for the SUBMIT event in the message tracking log.On the SUBMIT event you can see one parameter which is called as "SourceContext" which will clearly show you either that mail was generated from user mobile or outlook or from the webmail .

    Owa -  ClientType as Owa

    Outlook - ClientType as MOMT

    Active sync - ClientType as AirSync

    Note : Check for above values on the parameter "SourceContext" in the SUBMIT event of message tracking logs.

    Please check this reference link .

    http://markgossa.blogspot.com/2015/11/exchange-what-type-of-client-sent-email.html


    Thanks & Regards S.Nithyanandham

    • Marked as answer by Anudeep S Thursday, July 20, 2017 10:21 AM
    Thursday, April 27, 2017 3:07 PM

All replies

  • If the message was sent by SMTP, then you can look at the message headers, which should show the initiating connection.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by Anudeep S Thursday, April 27, 2017 12:55 PM
    Thursday, April 27, 2017 6:44 AM
    Moderator
  • Hello Anudeep,

    To achieve your expectation, we can use message tracking log to monitor deliver process, and we can find out the client IP. However, we cannot get the client information in message tracking log.

    For example:
    PSComputerName          : lab-e2k10csht01.tailspintoys.com
    RunspaceId              : a241bdf5-c2c6-4c99-8e5a-b395faa5e67a
    Timestamp               : 4/19/2011 4:45:30 PM
    ClientIp                : fe80::89dc:2ad8:e3b:c03%13
    ClientHostname          : LAB-E2k10CSHT01
    ServerIp                : fe80::89dc:2ad8:e3b:c03%13
    ServerHostname          : LAB-E2k10CSHT01
    SourceContext           : 08CDCCED60881B31;2011-04-19T21:45:30.419Z;0
    ConnectorId             : LAB-E2K10CSHT01\Default LAB-E2K10CSHT01
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 270
    MessageId               : <1cd4eba2-d158-4ea1-81a7-4dbbc659bd13@LAB-E2K10CSHT01.TailSpinToys.com>
    Recipients              : {User1-DB01@TailSpinToys.com}
    RecipientStatus         : {}
    TotalBytes              : 4146
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : Origins of Legislation
    Sender                  : User19-DB01@TailSpinToys.com
    ReturnPath              : User19-DB01@TailSpinToys.com
    MessageInfo             : 0aI: NTS:
    MessageLatency          :
    MessageLatencyType      : None
    EventData               : {[FirstForestHop, LAB-E2K10CSHT01.TailSpinToys.com]}
    If you want to get the client information, we need check it in IIS log or RPC client access log, include client type, login type, version and etc.

    IIS log, for example:
    2017-03-28 02:33:25 fe80::cce2:b193:1b07:74f7%12 POST /owa/auth.owa &CorrelationID=<empty>;&cafeReqId=af09dd09-ada4-461d-8cd5-8d70860021af;&encoding=; 443 
    contoso\three fe80::cce2:b193:1b07:74f7%12 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko 
    https://exc2016.contoso.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fexc2016.contoso.com%2fowa%2f 302 0 0 31
    RPC client Access Log, for example:
    2017-03-28T03:16:17.456Z,2131,1,/o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae25789565b477f9abd43c5940c8f5b-test16,,
    OUTLOOK.EXE,14.0.6025.1000,Classic,192.168.0.51,,,ncacn_http,Client=MSExchangeRPC,97ba2552-352e-420c-a8fc-75fb789b5b73|ff2ecc61-9378-45a6-aa57-91c010db1757,"""{E0AA311E-7A89-4693-ADB1-22DB4E703E5E}""",
    OwnerLogon,0,00:00:00.1870000,"Logon: Owner, /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=1ae25789565b477f9abd43c5940c8f5b-test16 in 
    database 89e656e8-05c3-41f8-813b-4de95004dfe2 last mounted on EXC2016.contoso.com; 
    LogonId: 0",,,,test16@contoso.com,,

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Anudeep S Thursday, April 27, 2017 12:55 PM
    Thursday, April 27, 2017 11:43 AM
    Moderator
  • Hello Anudeep ,

    In addition to all the suggestions , Please do a message tracking and search for the SUBMIT event in the message tracking log.On the SUBMIT event you can see one parameter which is called as "SourceContext" which will clearly show you either that mail was generated from user mobile or outlook or from the webmail .

    Owa -  ClientType as Owa

    Outlook - ClientType as MOMT

    Active sync - ClientType as AirSync

    Note : Check for above values on the parameter "SourceContext" in the SUBMIT event of message tracking logs.

    Please check this reference link .

    http://markgossa.blogspot.com/2015/11/exchange-what-type-of-client-sent-email.html


    Thanks & Regards S.Nithyanandham

    • Marked as answer by Anudeep S Thursday, July 20, 2017 10:21 AM
    Thursday, April 27, 2017 3:07 PM