It depends on where in the transmission chain you need to do the analysis. If you are looking on the same machine and it runs Outlook Express, The Outlook Express OLE/Active X control at C:\Program Files\Outlook Express\msoe.dll has some handles on looking at messages for owners and other properties. The access to message properties is much enhanced in Outlook Express 6/Outlook 2002 compared to earlier versions. If you need to look at the message after it has passed through SMTP handling, then the only sources of information are the RFC822 headers, which will have IP of machine that converted message to RFC821 format as last Received header and the From header (which can be forged). Exchange often adds a binary mail.dat file to messages containing some Exchange details, but this is not consistent. -----Original Message----- From: Settle, Sean [mailto:SeanSettleat_private] Sent: Tue February 26 2002 19:00 To: forensicsat_private Subject: Exchange/MAPI message origin Is there a tool to determine which computer a MAPI message was sent from? We would like to be able to determine the origin machine of email messages as needed but have not had much luck finding a tool to give us this information. Sean Settle X Network Services Q NPC X Phoenix, AZ SMTP: seansettleat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 17:07:48 PST