If the person reading your email is doing so with Outlook Web Access (OWA), then it is much harder to track. All communications can be tracked, but you will need to capture the traffic with a network monitoring tool (e.g., NetMon, Wireshark, etc.) during the time frame that the incident occurs. Reviewing the capture log could reveal the source IP address of your hacker.
The IP address is really only of value to you if it is coming from within your organization. If the connection is being established externally, then you will not be able to rely on the IP address in the capture as it will probably be coming from the external interface of a firewall that is performing network address translation (NAT).
Do you have comments on this Ask the Expert Q&A? Let us know.
Ask an Exchange Server question in our forum.
Dig Deeper on Microsoft Exchange Server Monitoring and Logging
Related Q&A from Richard Luckett
I just upgraded to Exchange 2010, but Exchange is generating an immense amount of logs. How can I change this so they grow at a more reasonable rate?continue reading
When you're stumped on how to track email items following a central mailbox move, fix the dilemma by knowing what happens to items in mailboxes when ...continue reading
You can pull out the big guns to manually remove what's left of your failed Exchange Server from Active Directory, but it's best to consider ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.