Ask McDonald, "Where exactly were you at 9:19AM this morning, and for how long before that, and who knew?"
i.e. was he in the washroom with his $250 Italian leathers poking out underneath the stall, making noises that indicated extreme abdominal discomfort... :) > -----Original Message----- > From: Tim Ault [mailto:[EMAIL PROTECTED]] > Posted At: Friday, October 19, 2001 11:13 AM > Posted To: MSExchange Mailing List > Conversation: Investigating a Forged Message > Subject: RE: Investigating a Forged Message > > > Thanks. > > I believe item #1 (of my post) is most probable.. hell, I > must leave OL2k > open and unattended on my PC a dozen times every day for minutes at a > stretch. > > However, this takes balls. Considering the length and > articulate phrasing of > the message, it seems the person would have spent an > inordinate amount of > time at McDonald's desk. Certainly someone should have seen > somebody there. > > I have recommended they check the EV on the server which > McDonald's mailbox > resides for EV 1016's.. just incase the Admin was in on it. > > Tim. > > > -----Original Message----- > From: Wright, Steven [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:47 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > It appears that it was send via Exchange since there are no internet > addresses in the TO: FROM: fields. Also, if you check the > headers and there > is nothing there, then you have the culprit in-house and logging on > legitimately via the user's account. The original > suggestions below are > probably what occurred. > > How accessible is the VP's computer? May be someone took a quick > opportunity at an unattended computer. If they were very > clever, they might > have set the message to delay a day or so before delivery. > > Hope everyone at the company took it seriously and went home ;-) > > Steve > > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:39 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Headers, Let us see the headers. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault > Sent: Friday, October 19, 2001 8:33 AM > To: Exchange Discussions > Subject: Investigating a Forged Message > > > Here's a little something some of you may enjoy this fine Friday.. put > on your investigator hats.. > > My wife forwarded this message to me: > > > From: McDonald, Arthur K. > > Sent: Friday, October 19, 2001 9:19 AM > > To: EPDS Contractors; EPDS - EPI Data Systems > > Subject: Much to be grateful for... > > > > All of us in this division have much to be grateful for and > for that > > reason, I would like to encourage each of you to go home at noon > > today. You may use my annual leave since I have far more > than I will > > ever use. Go home, be with your families, talk with your neighbors, > > love life and be grateful for all we have in this great nation of > > ours. Then come back on Monday refreshed and ready to take on the > > world! > > ahem.. *chortle* ..well, in any event, "Arthur", VP (Very > Pissed), wants > a head on a pike. I will offer to him (via my woman) the following > likely prospects: > > 1) The culprit got direct access to OL2k on the desktop; > 2) The culprit knew Arthur's username & password; > 3) A confederate Exchange Admin granted "User" or "Send as" permission > to culprit > 4) Culprit spoofed the message from an SMTP srvr, or used a similar > serve from the web. > > Feel free to presume the obvious; and I can pass along a few details > that have be provide me. Care to contribute? > > Tim. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
