locked
user saying he did not send email RRS feed

  • Question

  • hi all,

    I have a user who is saying he did not send an email but excange message tracking is saying he did send the email.

    message tracking is saying userA@company.com sent an email to userB@companyB.com at 11:39am on Tuesday morning. However like i said above the user is refusing to admit he has sent the email.

    message tracking is also saying userB@companyA.com sent an email to userB@companyB.com at 11:39am on Tuesday morning. However this user did indeed send the email.

    Is there any way i can see which device sent the email which userA is saying he did not send?

    Thanks

    Thursday, August 16, 2012 9:33 AM

Answers

  • If he didn't send it, someone else in your organization with SendAs or full rights to his mailbox did. 

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Marked as answer by hyperNoddy Thursday, August 16, 2012 12:24 PM
    Thursday, August 16, 2012 11:04 AM

All replies

  • What Exchange version?

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, August 16, 2012 10:22 AM
  • its exchange 2007
    Thursday, August 16, 2012 10:24 AM
  • The first event recorded for the email should be a Receive event, and have a source of either Storedriver or SMTP.  If it is Storedriver, then the message was sent from an Exchange client (Outlook or OWA).  If it is SMTP it was sent through a POP or IMAP client, or was relayed via SMTP.

    There may be more information available in the message headers if it was SMTP.   If it was an Exchange client the headers will be sparse.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, August 16, 2012 10:40 AM
  • correct, the first event is a receive event and the source is Storedriver, then after the receive event is a send event with a source of SMTP.

    How can this be concluded? Does this mean the user DID send the email from Outlook?

    Thursday, August 16, 2012 10:51 AM
  • If he didn't send it, someone else in your organization with SendAs or full rights to his mailbox did. 

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    • Marked as answer by hyperNoddy Thursday, August 16, 2012 12:24 PM
    Thursday, August 16, 2012 11:04 AM
  • thank you very much
    Thursday, August 16, 2012 12:24 PM
  • it is also possible to use command line to send email thru smtp  gateway

    having a copy of the email with mail header will tell you a lot of story inside :)

    Thursday, August 16, 2012 3:25 PM
  • It is possible, but if that's what happened, then the Recive event for this email would have a source of SMTP, not Storedriver. 


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Thursday, August 16, 2012 3:27 PM
  • On Thu, 16 Aug 2012 10:40:47 +0000, mjolinor wrote:
     
    >The first event recorded for the email should be a Receive event,
     
    Nope. It should be a SUBMIT event if it didn't come from a SMTP
    client. Check the message tracking logs on the MAILBOX server first.
     
    >and have a source of either Storedriver or SMTP. If it is Storedriver, then the message was sent from an Exchange client (Outlook or OWA). If it is SMTP it was sent through a POP or IMAP client, or was relayed via SMTP.
     
    I believe it's also possible to use EWS and place a message directly
    into a mailbox folder with no trace in the message tracling log. I
    doubt that the case here, though. :-)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, August 17, 2012 1:57 AM
  • I always use the hub transport logs.  Can you have a Submit event on the mailbox server without having a corresponding Receive/Storedriver event on the hub server (assuming communications are alll working)?

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Friday, August 17, 2012 2:11 AM
  • I believe it's also possible to use EWS and place a message directly
    into a mailbox folder with no trace in the message tracling log. I
    doubt that the case here, though. :-)

    That would produce the inverse of what we've got here. An email with no evidence of being sent or received in the logs. here we have tracking logs showing the email being sent and delivered, but the sender claiming they never sent it.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Friday, August 17, 2012 2:19 AM
  • On Fri, 17 Aug 2012 02:11:46 +0000, mjolinor wrote:
     
    >I always use the hub transport logs. Can you have a Submit event on the mailbox server without having a corresponding Receive/Storedriver event on the hub server (assuming communications are alll working)?
     
    Not if things are working. :-)
     
    But if you have multiple HT servers where do you go to start looking?
    If you start the search on the (presumed) sender's mailbox server you
    can select the SUBMIT event that matches the criteria (if there is
    one) and then follow that to the HT server that handled the message
    (and then maybe to the next HT server, etc.).
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, August 17, 2012 3:32 PM
  • On Fri, 17 Aug 2012 02:19:46 +0000, mjolinor wrote:
     
    >I believe it's also possible to use EWS and place a message directly into a mailbox folder with no trace in the message tracling log. I doubt that the case here, though. :-)
    >That would produce the inverse of what we've got here. An email with no evidence of being sent or received in the logs.
     
    Correct. Just making note that tracking logs aren't always an absolute
    proof of delivery. ;-)
     
    >here we have tracking logs showing the email being sent and delivered, but the sender claiming they never sent it.
     
    Depending on the nature of the message in question, I'm always
    suspicious of the sender. It may be something as simple as them
    leaving their machine unattended and someone having a bit of "fun"
    with them. If the prankster isn't careful (or if it's really the
    mailbox owner trying to cover their tracks) the message will still be
    recoverable from the dumpster or maybe an "archive PST".
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, August 17, 2012 3:40 PM
  • I've also got multiple mailbox servers in a DAG, so I'm still going to have to potentially interrogate multiple machines before I find where the message track started.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Friday, August 17, 2012 3:47 PM
  • On Fri, 17 Aug 2012 15:47:49 +0000, mjolinor wrote:
     
    >I've also got multiple mailbox servers in a DAG, so I'm still going to have to potentially interrogate multiple machines before I find where the message track started.
     
    Isn't HA fun?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, August 17, 2012 8:21 PM
  •  

    Not sure if this is helpful, but I have had situations like this, and they turned out being that a user account was compromised, and OWA was used to send SPAM/viruses.  I ended up tracking this down via ISA logs (if you have ISA :) ).  I also did research in the users mailbox by looking through deleted items, so if you have a dumpster long enough you could use that as well.

    Clearly a message was sent, and received.  So identifying where it came from is key.  Also if this yields nothing, suggest the user change passwords, and make sure they aren't leaving their workstation unattended :)

    Friday, August 17, 2012 9:00 PM
  • >Isn't HA fun?

    It's an interesting arrangement of levers and pulleys. I'll quit there.

    I usually start message tracking at the hub servers, because most of ad-hoc message tracking I do is for smtp email. 

    Most of the time you get a forwarded copy of an email to trace, so there's no headers and it's a crapshoot.  I've learned to bet on it being smtp, and the first place it will show up is a hub server.

    YMMV

     


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Saturday, August 18, 2012 3:37 AM
  • On Sat, 18 Aug 2012 03:37:05 +0000, mjolinor wrote:
     
    >>Isn't HA fun?
    >
    >It's an interesting arrangement of levers and pulleys. I'll quit there.
    >
    >
    >
    >I usually start message tracking at the hub servers, because most of ad-hoc message tracking I do is for smtp email.
     
    I admit that I do too, unless it's an "I never sent that" situation.
     
    >Most of the time you get a forwarded copy of an email to trace, so there's no headers and it's a crapshoot.
     
    I usually request the original message as an attachment. If they don't
    have the original then it's usually just too bad for them.
     
    >I've learned to bet on it being smtp, and the first place it will show up is a hub server.
    >YMMV
     
    No kidding? :-)
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Saturday, August 18, 2012 9:14 PM