Headers, Post your Headers -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault Sent: Friday, October 19, 2001 9:09 AM To: Exchange Discussions Subject: RE: Investigating a Forged Message
Thanks. The message appears to have been sent directly from McDonald's mailbox. Haven't heard yet if the font was courier (implies it was sent from OWA55). If the culprit sent it via O.E., then the source IP can be traced back to the internal host. Tim. -----Original Message----- From: Joyce, Louis [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 11:37 AM To: Exchange Discussions Subject: RE: Investigating a Forged Message if they check the message header of the email they will see whether it came from within the organisation it will be blank if it was internal. If it is from a SMTP spoof site it will have details from out side the organisation. Regards Mr Louis Joyce Computer Support Analyst Network Administrator BT Ignite eSolutions +44 (0)1392 459155 -----Original Message----- From: Tim Ault [mailto:[EMAIL PROTECTED]] Sent: 19 October 2001 16:33 To: Exchange Discussions Subject: Investigating a Forged Message Here's a little something some of you may enjoy this fine Friday.. put on your investigator hats.. My wife forwarded this message to me: > From: McDonald, Arthur K. > Sent: Friday, October 19, 2001 9:19 AM > To: EPDS Contractors; EPDS - EPI Data Systems > Subject: Much to be grateful for... > > All of us in this division have much to be grateful for and for that > reason, I would like to encourage each of you to go home at noon > today. You may use my annual leave since I have far more than I will > ever use. Go home, be with your families, talk with your neighbors, > love life and be grateful for all we have in this great nation of > ours. Then come back on Monday refreshed and ready to take on the > world! ahem.. *chortle* ..well, in any event, "Arthur", VP (Very Pissed), wants a head on a pike. I will offer to him (via my woman) the following likely prospects: 1) The culprit got direct access to OL2k on the desktop; 2) The culprit knew Arthur's username & password; 3) A confederate Exchange Admin granted "User" or "Send as" permission to culprit 4) Culprit spoofed the message from an SMTP srvr, or used a similar serve from the web. Feel free to presume the obvious; and I can pass along a few details that have be provide me. Care to contribute? Tim. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
