none
How to Track the Original Location of an Email via its IP Address RRS feed

  • Question

  • Hi 

    I have Exchange 2013 

    I want to track one message was send from one user to another one  in the same domain and organization 

     I want to get the sender destination IP address(internal IP) and make sure that the user is using his private PC 

    BR


    Mahmoud

    Tuesday, September 15, 2015 11:47 AM

Answers

  • Do you have access to the headers of a received message? 

    See if the X-Originating-IP: is populated. Its there for OWA and Outlook clients as well. It can be misleading if the mailbox is in Office 365 however.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:54 AM
    Tuesday, September 15, 2015 2:38 PM
  • hi 

    thank you all for your support, I used below command 

    Get-MessageTrackingLog -ResultSize Unlimited -Start "9/13/2015 12:00AM" -End "9/13/2015 11:30AM" -Sender "abc@contoso.com" –MessageID ""| FL *

    but when I get originating source IP and Client IP < I found these IP are the Exchange Servers IP 

    BR


    Mahmoud


    • Edited by Mahmoud Adel_ Wednesday, September 16, 2015 6:46 AM
    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:53 AM
    Wednesday, September 16, 2015 4:56 AM
  • Hi ,

    just assume that you have the outlook client configured with (rpc over http protocol) to send email to users in your exchange environment ,so on such case you could not able to find out the the IP address of the machine on the message tracking logs when you do the track for that particular message. Instead you can able to see the exchange server ip address on the client ip field and it is by design for the outlook clients.

    So as ANDY suggested we need to make use of the message headers to find out the client machine ip address ,you can collect the original message from the recipient end and from there you can get the headers of the message .On the message headers you can see an stamping called X-Originating-IP and that is one which holds the IP address of the machine from where that particular email is triggered .

    Please reply me if you have any queries.


    Thanks & Regards S.Nithyanandham

    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:54 AM
    Wednesday, September 16, 2015 8:21 AM
  • Hi 

    I found this value 

    X-Originating-IP: [10.10.200.13]

    what this IP Address related , are this for the client who send the message ?

    Note:inside my environment the IP 10.10.200.13 related to the Servers VLAN not machines VLAN 

    BR


    Mahmoud


    Is that IP associated with a load balancer? If so, that would make sense. Depending on the load balancer, you may have to configure extra steps on the LB to surface the real client IP, but that will only work going forward, not looking at the existing headers.

    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:51 AM
    • Unmarked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:51 AM
    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:53 AM
    Wednesday, September 16, 2015 12:16 PM

All replies

  • Hello

    tip: get-messagetrackinglog search... | fl clientip


    sorry my english

    Tuesday, September 15, 2015 1:46 PM
  • thanks for your reply 

    can you please in details 


    Mahmoud

    Tuesday, September 15, 2015 2:01 PM
  • Hi ,

    Know to my knowledge we can able to find out the client ip for the users PC on where they use the exchange protocols like pop and imap to send emails to other users in exchange .

    Apart from that we can find the exact client ip address for the application servers which is triggering emails through exchange servers .

    For outlook ,owa users , we cannot able to find out the ip address of the machine from where the email has triggered .On the message tracking logs and also on the headers it will show that those emails has been initiated first from the mailbox servers where they reside .


    Thanks & Regards S.Nithyanandham

    Tuesday, September 15, 2015 2:16 PM
  • Hello

    if know what email search or time you can view client ip /if use local client not owa/ and from dns/dhcp you can search client hostname and if have got any computer name policy you can decision that computer is private or not.


    sorry my english

    Tuesday, September 15, 2015 2:19 PM
  • Hi ,

    Did you meant to say that either with the help of message tracking logs or with message headers, we can able to find out the host name or the ip address of the client that uses outlook or owa to send emails to others users ?


    Thanks & Regards S.Nithyanandham

    Tuesday, September 15, 2015 2:34 PM
  • Do you have access to the headers of a received message? 

    See if the X-Originating-IP: is populated. Its there for OWA and Outlook clients as well. It can be misleading if the mailbox is in Office 365 however.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:54 AM
    Tuesday, September 15, 2015 2:38 PM
  • Hi ,

    Thanks Andy .


    Thanks & Regards S.Nithyanandham

    Tuesday, September 15, 2015 2:40 PM
  • hi 

    thank you all for your support, I used below command 

    Get-MessageTrackingLog -ResultSize Unlimited -Start "9/13/2015 12:00AM" -End "9/13/2015 11:30AM" -Sender "abc@contoso.com" –MessageID ""| FL *

    but when I get originating source IP and Client IP < I found these IP are the Exchange Servers IP 

    BR


    Mahmoud


    • Edited by Mahmoud Adel_ Wednesday, September 16, 2015 6:46 AM
    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:53 AM
    Wednesday, September 16, 2015 4:56 AM
  • Hi ,

    just assume that you have the outlook client configured with (rpc over http protocol) to send email to users in your exchange environment ,so on such case you could not able to find out the the IP address of the machine on the message tracking logs when you do the track for that particular message. Instead you can able to see the exchange server ip address on the client ip field and it is by design for the outlook clients.

    So as ANDY suggested we need to make use of the message headers to find out the client machine ip address ,you can collect the original message from the recipient end and from there you can get the headers of the message .On the message headers you can see an stamping called X-Originating-IP and that is one which holds the IP address of the machine from where that particular email is triggered .

    Please reply me if you have any queries.


    Thanks & Regards S.Nithyanandham

    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:54 AM
    Wednesday, September 16, 2015 8:21 AM
  • Hi 

    I found this value 

    X-Originating-IP: [10.10.200.13]

    what this IP Address related , are this for the client who send the message ?

    Note:inside my environment the IP 10.10.200.13 related to the Servers VLAN not machines VLAN 

    BR


    Mahmoud

    Wednesday, September 16, 2015 8:54 AM
  • Hi 

    I found this value 

    X-Originating-IP: [10.10.200.13]

    what this IP Address related , are this for the client who send the message ?

    Note:inside my environment the IP 10.10.200.13 related to the Servers VLAN not machines VLAN 

    BR


    Mahmoud


    Is that IP associated with a load balancer? If so, that would make sense. Depending on the load balancer, you may have to configure extra steps on the LB to surface the real client IP, but that will only work going forward, not looking at the existing headers.

    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:51 AM
    • Unmarked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:51 AM
    • Marked as answer by Mahmoud Adel_ Sunday, September 20, 2015 4:53 AM
    Wednesday, September 16, 2015 12:16 PM
  • I can see the X-Originating-IP in OWA, but not on Outlook 2010. How can the administrator enable downloading X-Originating-IP?
    Tuesday, November 7, 2017 5:05 AM
  • CREATORT creates EVERYTHING with a UNIQUE name-I'm sorry, I forgot the name of the term of that term-NOT Sham or Ram or Mike. With that name the Programmer traces a message WHO or where it is coming from. Meaning of that is Hardware Name. 
    Friday, December 6, 2019 6:11 PM