An administrator wanted to know if there is a way to know who sent the message, when messages are sent by changing the From field in Outlook to a different user.
A user said that someone got an email message from him but that he did not send it. The message was not in his Sent Items folder. Email sent through Outlook can show that the messages were sent from someone else if the From field is changed to a different use. Is there a way to tell who really sent the email?
First, was the message legitimate (not spam) and sent by someone logged into Exchange? Check the email header and see if it came from outside the Exchange server.
If the message was sent by someone inside the organization, the only way someone could send a message by putting his name in the From field is If they have Send as permissions.
When a user has Send on behalf of permissions for another account (or is a Delegate), the message will be From User1 on behalf of User2. Exchange will not accept mail with a different name in the From field unless the sender’s account has permission to send on behalf of that address.
To check the permissions, check the user’s account in the Active Directory.
- In Active Directory Users and Computers, enable Advanced view (View menu).
- Then check the user account’s Properties.
- Look on the Security tab for accounts that have Send As rights to the user’s account.
Otherwise, it is impossible to prove who really sent the message, unless a sent copy is found in the other person's sent folder.