That information only exists for SMTP messages, and in this case ntex6npc is the origin mail server, not my workstation name. In this case the message was sent from an internal user to another internal user from their own mailbox (that is the mailbox of the recipient). We were trying to determine which computer the message originated from in the hopes of tracking down the user who sent the message. Sean Settle "The Trouble with doing anything right the first time is that nobody appreciates how difficult it was." X Network Services Q NPC X SMTP: seansettleat_private -----Original Message----- From: Rob Harmer [mailto:robharmat_private] Sent: Wednesday, February 27, 2002 1:21 PM To: Settle, Sean; forensicsat_private Subject: Re: Exchange/MAPI message origin Sean, Wouldn't the Properties/Message Source dialog boxes give most of that detail? For instance is your PC node name "ntex6npc" at alliant.com? Regards Rob Harmer http://www.pcprofile.com FYI your inbound message shows header details such as; Return-Path: <forensics-return-699-robharm=pcprofile.comat_private> Received: from williams.adgrafix.com ([208.230.142.2]) by mta08.mail.mel.aone.net.au with ESMTP id <20020227184243.PFPM25799.mta08.mail.mel.aone.net.auat_private> for <robharmat_private>; Thu, 28 Feb 2002 05:42:43 +1100 Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by williams.adgrafix.com (8.9.3/8.9.3) with ESMTP id NAA27409 for <robharmat_private>; Wed, 27 Feb 2002 13:42:41 -0500 (EST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 2945FA3286; Wed, 27 Feb 2002 11:31:38 -0700 (MST) Mailing-List: contact forensics-helpat_private; run by ezmlm Precedence: bulk List-Id: <forensics.list-id.securityfocus.com> List-Post: <mailto:forensicsat_private> List-Help: <mailto:forensics-helpat_private> List-Unsubscribe: <mailto:forensics-unsubscribeat_private> List-Subscribe: <mailto:forensics-subscribeat_private> Delivered-To: mailing list forensicsat_private Delivered-To: moderator for forensicsat_private Received: (qmail 8446 invoked from network); 26 Feb 2002 23:58:24 -0000 Message-ID: <CF60153E84EAD5118C4A00306E01D6091161F6at_private> From: "Settle, Sean" <SeanSettleat_private> To: forensicsat_private Subject: Exchange/MAPI message origin Date: Tue, 26 Feb 2002 16:59:35 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Is there a tool to determine which computer a MAPI message was sent from? We would like to be able to determine the origin machine of email messages as needed but have not had much luck finding a tool to give us this information. Sean Settle X Network Services Q NPC X Phoenix, AZ SMTP: seansettleat_private ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----- Original Message ----- From: "Settle, Sean" <SeanSettleat_private> To: <forensicsat_private> Sent: Wednesday, February 27, 2002 10:29 AM Subject: Exchange/MAPI message origin > Is there a tool to determine which computer a MAPI message was sent from? > We would like to be able to determine the origin machine of email messages > as needed but have not had much luck finding a tool to give us this > information. > > Sean Settle > X Network Services Q NPC X > Phoenix, AZ > SMTP: seansettleat_private > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 19:04:50 PST