If the person reading your email is doing so with Outlook Web Access (OWA), then it is much harder to track. All communications can be tracked, but you will need to capture the traffic with a network monitoring tool (e.g., NetMon, Wireshark, etc.) during the time frame that the incident occurs. Reviewing the capture log could reveal the source IP address of your hacker.
The IP address is really only of value to you if it is coming from within your organization. If the connection is being established externally, then you will not be able to rely on the IP address in the capture as it will probably be coming from the external interface of a firewall that is performing network address translation (NAT).
Do you have comments on this Ask the Expert Q&A? Let us know.
Ask an Exchange Server question in our forum.
This was first published in September 2008