if they check the message header of the email they will see whether it came from within the organisation it will be blank if it was internal. If it is from a SMTP spoof site it will have details from out side the organisation.
Regards Mr Louis Joyce Computer Support Analyst Network Administrator BT Ignite eSolutions +44 (0)1392 459155 -----Original Message----- From: Tim Ault [mailto:[EMAIL PROTECTED]] Sent: 19 October 2001 16:33 To: Exchange Discussions Subject: Investigating a Forged Message Here's a little something some of you may enjoy this fine Friday.. put on your investigator hats.. My wife forwarded this message to me: > From: McDonald, Arthur K. > Sent: Friday, October 19, 2001 9:19 AM > To: EPDS Contractors; EPDS - EPI Data Systems > Subject: Much to be grateful for... > > All of us in this division have much to be grateful for and for that > reason, I would like to encourage each of you to go home at noon today. > You may use my annual leave since I have far more than I will ever use. > Go home, be with your families, talk with your neighbors, love life and be > grateful for all we have in this great nation of ours. Then come back on > Monday refreshed and ready to take on the world! ahem.. *chortle* ..well, in any event, "Arthur", VP (Very Pissed), wants a head on a pike. I will offer to him (via my woman) the following likely prospects: 1) The culprit got direct access to OL2k on the desktop; 2) The culprit knew Arthur's username & password; 3) A confederate Exchange Admin granted "User" or "Send as" permission to culprit 4) Culprit spoofed the message from an SMTP srvr, or used a similar serve from the web. Feel free to presume the obvious; and I can pass along a few details that have be provide me. Care to contribute? Tim. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
