Correct me if I'm wrong, but this doesn't apply entirely to MAPI clients, as the originating IP tends to be that of the MAPI server. It may be different for other MAPI servers, but I'm pretty sure this is true for MS Exchange. You probably need to go into your Exchange logs and see if there's anything in there. Later'ish Craig > -----Original Message----- > From: Seth Arnold [mailto:sarnoldat_private] > Sent: Thursday, 28 February 2002 8:14 AM > To: forensicsat_private > Subject: Re: Exchange/MAPI message origin > > > On Tue, Feb 26, 2002 at 04:59:35PM -0700, Settle, Sean wrote: > > Is there a tool to determine which computer a MAPI message > was sent from? > > We would like to be able to determine the origin machine of > email messages > > as needed but have not had much luck finding a tool to give us this > > information. > > Sean, get the full email-headers. Within those headers, you will find > liens similar to: > > Received: from lists.securityfocus.com > (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 2945FA3286; Wed, 27 Feb 2002 11:31:38 -0700 (MST) > > As long as your exchange server hasn't been compromised in > some way, the > Received: line should contain the details you need. Note that some > details are given by the end-user, and can thus be faked. > Note that some > details may be looked up in DNS, and thus can be faked, > though with more > difficulty. Since the connections to a server are TCP based, it is > harder to fake the IP address. > > I hope this helps. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 19:18:14 PST