Well, that is not necessarily true. All he needs is to precompose the letter, put on floppy, and walk over with a simple copy-paste, done in 1 minute or less.
Andrew, MCSE (NT & W2K) + CCNA -----Original Message----- From: Tim Ault [mailto:[EMAIL PROTECTED]] Posted At: Friday, October 19, 2001 9:13 AM Posted To: NewsgroupDiscussion Conversation: Investigating a Forged Message Subject: RE: Investigating a Forged Message Thanks. I believe item #1 (of my post) is most probable.. hell, I must leave OL2k open and unattended on my PC a dozen times every day for minutes at a stretch. However, this takes balls. Considering the length and articulate phrasing of the message, it seems the person would have spent an inordinate amount of time at McDonald's desk. Certainly someone should have seen somebody there. I have recommended they check the EV on the server which McDonald's mailbox resides for EV 1016's.. just incase the Admin was in on it. Tim. -----Original Message----- From: Wright, Steven [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 11:47 AM To: Exchange Discussions Subject: RE: Investigating a Forged Message It appears that it was send via Exchange since there are no internet addresses in the TO: FROM: fields. Also, if you check the headers and there is nothing there, then you have the culprit in-house and logging on legitimately via the user's account. The original suggestions below are probably what occurred. How accessible is the VP's computer? May be someone took a quick opportunity at an unattended computer. If they were very clever, they might have set the message to delay a day or so before delivery. Hope everyone at the company took it seriously and went home ;-) Steve -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 11:39 AM To: Exchange Discussions Subject: RE: Investigating a Forged Message Headers, Let us see the headers. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault Sent: Friday, October 19, 2001 8:33 AM To: Exchange Discussions Subject: Investigating a Forged Message Here's a little something some of you may enjoy this fine Friday.. put on your investigator hats.. My wife forwarded this message to me: > From: McDonald, Arthur K. > Sent: Friday, October 19, 2001 9:19 AM > To: EPDS Contractors; EPDS - EPI Data Systems > Subject: Much to be grateful for... > > All of us in this division have much to be grateful for and for that > reason, I would like to encourage each of you to go home at noon > today. You may use my annual leave since I have far more than I will > ever use. Go home, be with your families, talk with your neighbors, > love life and be grateful for all we have in this great nation of > ours. Then come back on Monday refreshed and ready to take on the > world! ahem.. *chortle* ..well, in any event, "Arthur", VP (Very Pissed), wants a head on a pike. I will offer to him (via my woman) the following likely prospects: 1) The culprit got direct access to OL2k on the desktop; 2) The culprit knew Arthur's username & password; 3) A confederate Exchange Admin granted "User" or "Send as" permission to culprit 4) Culprit spoofed the message from an SMTP srvr, or used a similar serve from the web. Feel free to presume the obvious; and I can pass along a few details that have be provide me. Care to contribute? Tim. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
