So here's the situation. An email was sent from a computer within our organization yesterday and we were subsequently marked as spam because of it. We don't know who sent it. We don't know when it was sent (but have an approximate time) and therefore don't have a copy of the e-mail. And we don't know how to track it back.
I'm a programmer and so IT is not my domain, but the programmer in me screams that there's got to be a way to trace this back to the origin. We're running on MS Exchange.
Is it possible to trace this e-mail back to the sender? And how can we do it?!
Without a copy of the e-mail with the original headers, this will be nearly impossible to trace. If you had the headers, you could see the "Received" headers and follow the path back to the origin pretty quickly. Without the usual information, your best bet is to look at the Exchange Server logs for the approximate time in question to see who was sending mail. If you have some sort of message audit logging then you could look there to see if any "spammy" messages came from a particular user.
How do you even know this message came through your exchange server? If there was malware installed on a workstation and you don't block outbound SMTP, then the malware could be making SMTP connections directly and not touching your Exchange server. You could also have a mis-configured proxy or something else that is being used as a relay.
In my opinion outgoing SMTP should be blocked at the perimeter from everything except your mail servers. If you aren't already blocking SMTP and you don't have any logging setup, then you really can't prove anything. Any computer in the network could have made a SMTP connection to the server.
If you are really worried about this happening again, then you could also setup logging on your perimeter device to log at least the first packet of any port 25 communication.
Email is so easy to forge. It is also entirely possible that you got blocked as spam and the the message didn't originate from your network at all. Perhaps some naive system admin assumed that some of the SMTP headers where valid when in-fact they where forged.
Since you know about when it was sent you might be able to find some information in the Message Tracking Log. It would also be helpful to know what domain it was sent to.
You can find the location of the log in your Exchange server settings.
For Exchange 2007, look under Server Configuration and get Properties on your Exchange server. Then check the Log Settings tab and see if your Message Tracking Log is enabled. If so this will tell you where it is stored.
For Exchange 2003, You also get Properties on your Exchange server, but this time it should be under the General tab.
Once you find the logs, you should be able to open the log for the time you suspect and see what the activity on your server was at the time.
You could write a script to check every Send items folders for each mailbox in exchange...
You could use CDOEX which is a COM interface to exchange.
Using a VB script a system administrator could check all those folders.
But the programmer in you might prefer C#, therefore you could use the OLE DB interface ExOLEDB to Exchange. Microsoft even has a example which uses ADO.
So enough options I guess.
Knowing approximate time and exact destination of the mail you can filter Exchange's logs for potential suspects. If you can find him depends on the volume of traffic that goes through that Exchange.