Re: Advanced tracking of messages

Wed, 17 Sep 2008 07:54:21 -0700 

Great points.  Then there's Journaling -- resource hog, but fairly
comprehensive.
Also, IE history and temporary files.  Content filters can be pretty
useful, if you know what you're looking for, and a web proxy provides some control. If you want to get extreme, there's keylogging and employee spyi...er...monitoring software. All these tools can help with the technical objectives, but in the end this is a management/personnel problem, and I refer your boss(es) to Ed Crowley's signature. 


----- Original Message ----- 
From: "Fred Skrotzki" <[EMAIL PROTECTED]>

To: "Exchange Discussions" <[email protected]>
Sent: Tuesday, September 16, 2008 9:46 AM
Subject: RE: Advanced tracking of messages


For the future make sure that you have deleted mail retention enabled
and set to something reasonable like 7-14 days days.  That way even if
they delete it is still on the server and recoverable by the user or
admin for up to that amount of time (or slightly longer if the full
backup has not occurred, see the options on it for full details).

What you can't track is if they opened it, cut and pasted (or right
clicked and saved/exported it out) then attached it into another e-mail
program like a gmail account, etc and sent it along that way.

Without knowing your office security procedures I can think of many ways
to get a copy sent out unless somebody was smart enough to close those
loopholes (gmail, yahoo, msn, etc).  A SSH session can be setup to allow
tunneling so if ssh is allowed out I can get almost anything out to a
linux box and then reconnect that to anyplace else without you knowing.

Take exported message and put it on a thumb drive?  Attach to the mail
server with a imap account which will show it being read but then save
it off and send it along another route, etc...

Zip/winrar it with a password and upload it to a site like pastebin, or
megaupload.com, very many ways to get things out if you are hell bent on
doing it.  (and before somebody say's can't attach bin to pastebin, if
it's small enough use bin2hex, uuencode, etc. type program to convert to
text).

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Braun, Charles
Sent: Tuesday, September 16, 2008 11:54 AM
To: Exchange Discussions
Subject: RE: Advanced tracking of messages

I thought about restoring the mailbox.  That would not show me much more
though than if the person had forwarded the message (find in sent items)
and even that is not 100% accurate as the person could possibly have
deleted it from sent items.

It doesn't seem that I am going to be much help to the investigation
process this time around.

Is there any sort of advanced logging or tracking that I might be able
to turn on in the event I get a request like this in the future?

I know that if there is such a thing, that it would be a huge resource
hog, but I am sure that the question will at least be asked by those in
charge when I break the news to them that I can't provide much in this
case.
_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
To subscribe: http://e-newsletters.internet.com/discussionlists.html/
To unsubscribe send a blank email to
[EMAIL PROTECTED]
t.com
Exchange List admin:    [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016

Please include the email address which you have been contacted with.


_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
To subscribe: http://e-newsletters.internet.com/discussionlists.html/
To unsubscribe send a blank email to
[EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016

Please include the email address which you have been contacted with.


_________________________________________________________________
List posting FAQ:       http://www.swinc.com/resource/exch_faq.htm
Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
To subscribe: http://e-newsletters.internet.com/discussionlists.html/
To unsubscribe send a blank email to [EMAIL PROTECTED]
Exchange List admin:    [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016

Please include the email address which you have been contacted with.























					Reply via email to