I discovered an e-mail blast from a virus or malware that went out from my environment and am now trying to track it down to the workstation. I have the mailbox that the e-mails were sent from and they do show up in the Exchange Message Tracking logs but I am not finding how to determine which of the three workstations this user has the messages came from. We can re-image all three machines but would like to narrow it down. Any ideas?Jason Meyer

Exchange User Monitor tool: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11461 (will only help if the messages are still going out... won't give you historical info)

Hi, I suggest you launch Outlook and log on the received mailbox. In Internet headers of the message, you can find the IP address of the problematic message. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

@Novak - I think Jason is referring to the sender and not recipient and the headers would show the client IP as far as I know anyway. Would be nice if it did. @Jason - What you maybe can do is look at the event logs on the client PC's and see when this user logged on and maybe cross match this from the DC event logs which should show when the user logged on. From here you should be able to determine which PC was active. You have the message details show it show the time/date sent. Although the user may have logged in say 9am but the emails may not have been sent until later.Sukh

Thanks for the input guys, sounds like there is not a way to tell what machine these messages were generated on. I do not have access to the workstation or the domain controllers so will turn that over to those that do. Will also give Exmon a look, have heard of it but haven't installed it yet. Thanks again, JasonJason Meyer

I agree with Sukh. You can log on the client machine and compare the user logged on time when the message is received. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

How is thing going on? If there is any progress or question, please feel free to post it here. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Well, like I said I don't have access to the users workstation and will give Exmon a try. What I was looking for was that there is no way to tell what IP address an e-mail came from when sent from an Outlook client connected to an Exchange server. Thanks. Feel free to mark whatever post the answer you like. Jason Meyer