Tracing Emails in Microsoft Outlook.
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Tracing Emails in Microsoft Outlook.

  1. #1
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466

    Tracing Emails in Microsoft Outlook.

    Hi everyone!

    I have came across something very unusuall issue. When i came to office today one of the User complaint me that he hasn't received any email today, although there were emails in which he was cc and other receipents do received them.

    I checked his email box and it was empty that time, I sent a test email from local account (Domain) and from a public email address and both were received. It was around 9:15 AM. All the emails after 9:15 were coming to his mail box and not a single email generated last night and early morning were there.

    I asked one of the his department collegue to sent me emails in which that particular user is copied so that i can check the email id and can look at the time emails were sent. The email address was perfectly alright and most of them were replies so no chance of wrong email in it.

    Since the user is using Microsoft Outlook and i have experienced in the past when the pst file of outlook reaches around 2 GB emails get lost and things like that and surprisingly the pst size was 900MB and also emails after 9:15AM were receiving no chance of pst get corrupted. Anyways i went to check the log of server, the email server i am using is MDaemon, and upon looking the routing details yes emails got received by server sametime when other users recived the emails.

    Now i checked the POP log to see at what time the user fetched email from the Mdaemon today and i cam across the fact it was 9:03 first connection made to server by him and he downloaded 31 emails on his system (Mdaemon also log the IP from where the mail box is accessed).

    So i went to the user ask him when he came to office he said around 8:50 and i asked him when he downloded his email he said around 9:02 or 03 may be and I said how many messages it showed at that time he I AM TELLING YOU THE MAIL BOX WAS EMPTY and soon after pausing for a while said there were 31 emails but dunno where they get downloaded.

    Now what i am assuming here is the user is lieing here and he has Intentionally deleted all the emails as he is always looking to mess with the IT Department.

    Although i have proof that emails got arrived on server and were downloaded into his PC and the user gave a false statement and then changed it after a while, i wanted to know is there any sort of log that is being maintained by Microsoft OUTLOOK to trace this issue?

    If there isn't anything like that, how can i in future assure that such issues won't occur any suggestion?
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    There are a couple things you can do... Check out these steps to recover deleted email:
    http://www.outlook-tips.net/howto/recover_deleted.htm

    Also you can check out this software that will recover deleted email:
    http://www.recover-my-email.com/

    As for preventing it... unfortunately the mailbox belongs to the user so you can't do a lot... I would suggest maintaining a log file (such as you have), maintaining a seperate log file... set it up so each subject line is stored when a message is downloaded to a client (well within your corporate rights)... and the best idea... set Outlook to not remove messages from the mail server... This way there will be a duplicate on the mail server even after the user has checked their mail.. or set it up so that everything is forwarded to local mbox's in each user name.. then if they say who the mail was deleted you can sit them down at a terminal and type pine.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    If you can't find deleted e-mails, check that he hasn't moved them into another folder, or even archived them
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    All I can do is ask a question and reference experience; I don't run an email server.

    This has not happened in a while, but I have seen instances where a pop email client would connect then lock and fail to receive email from the server if there was malformed emails stored on the server. The client would indicate that there were unread messages ( sometimes over a hundred ) but would time out when attempting to retrieve them.

    However, emails not received would remain on the server. ( The clients were set up to delete emails once they were received. )

    The solution ( in my case ) was to either have the admin of the server ( the ISP in my cases ) delete the offending emails, ( a real pain in the ass for those affected, ) or I would go in via a web interface and delete them ( a real pain in the ass for me, but easier on the clients. These were not my accounts, I did this on behalf of others, several others. And I did it regularly for a couple. All offending messages were spam that locked the systems.)

    Again, this has not occurred in a while, ( probably a year or so,) most were with Mozilla products, but one was with Outlook.

    I guess what I am getting at is, even though the client connected, were the emails actually downloaded?

    Is the client set up to delete emails once received? ( May not be practical in a corporate environment. But there should be a way of telling if the client actually received the email, isn't there? )

    Is there some type of filtering on the server that would eliminate offending correspondence that might lock the systems?

    Has the client been checked for integrity?

    Just my thoughts.

    Hope it helps, but I think I just muddied the waters.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I can certainly support what IKnowNot has said, as I have had the same experience, only with Outlook and Outlook Express in my cases.

    The mail should still be on the server, but there will be no trace of it on the client. Generally this situation forces a reboot which may show up in the Event Viewer? I never looked at that because I knew what the problem was.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    HTRegz Nothing got recovered via that tool.

    Nihil Nopes the emails aren't in that pst file i have searched the whole pst for the emails received today or even from the particular sender but not present.

    IKnowNot Well the emails will be deleted from the server upon successful completion of the session and if the link got timeout or experience any other issue emails will not be deleted, as per the log of Mail server once the emails got downloaded successfully they got deleted from the server.

    There ain't any emails on the server too :-(

    As per the user ooutlook showed emails were downloaded again as per log session created at 09:06:28 all the 31 emails got downloaded and session terminated after deleting the messages from server till 09:06:42. Exactly after doing this the user checked email again at 09:06:48 and 09:07:12 and each time server responded email box empty.

    Well since this user has been showing off and is a pyshco case so there is a chance that he might have done it (deleted emails)

    But if the emails were deleted by him and he would have deleted them from deleted items then upon running the tool suggested by HTRegz they should have recovered. I tested the tool on my PC before running on the machine. I removed the deleted items from my system and upon running the tool i managed to saw those deleted items.

    So I am a little confused here, if emails were not downloaded into the system (as per user) the server is showing they have been downloaded and deleted them, THEN WHERE THE HELL THEY WENT?
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  7. #7
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    nihil

    Yes, when i came into the office and checked the server, it got restarted before my arrival and there was entry in the Event viewer. ID 1076 something like bug check. Still no sign of emails on the server?
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  8. #8
    Banned
    Join Date
    Jul 2004
    Posts
    297
    You might check to make sure he was logged in under his username at the time the mail was not appearing since each profile gets its own store folder.

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmmm,

    It looks like some sort of unexpected shutdown?

    http://www.windowsnetworking.com/art...dows-2003.html

    It should be 1074 if it were a manually forced one.

    Anything else strange shown up?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Spamdies

    Yes the user was logged in under his account and its email is configured under his account only and he cannot create email account else where without having email password which are not disclosed by us.

    Nihil
    Nothing other than this shutdown event, I have checked the email server for msg files but there his emails aren't there.

    I have experienced that Outlook download messages and delete them only when the pst file get over sized or corrupted but in this case the situation is totally different pst size is fine and file is also not corrupted. As i said emails after that particular events are coming.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides