He left his box accessible. Well, McDonald shares in responsibility then.
Ed Crowley MCSE+Internet MVP Tech Consultant Compaq Computer Corporation (soon to be HP) All your base are belong to us. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Ault Sent: Friday, October 19, 2001 12:58 PM To: Exchange Discussions Subject: RE: Investigating a Forged Message ha.. actually I just learned he 'was' asked that question.. Turns out, ol' McDonald was away from his desk from 9 till 10am and left his box accessible. All indications are that the message was sent from the client on his desk. The message was found in the Sent Items of his mailbox. There appears to have been no logon recorded in Admin during that hour (implying his mailbox was not opened from another PC), and there were no suspicious 1016's (implying the Admin was not in on it). The message was of blue Arial font (implying OWA was not used to send it, and his password is secure), and there was no access recorded by the box acting as the SMTP server (implying O.E. was not used to send it, and his creds are secure). Oh.. and someone saw somebody at his desk around the time (implying.. oh hell..) so they figured it out. this was not quite the challenge I thought it'd be. Tim. -----Original Message----- From: Tom Meunier [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 12:38 PM To: Exchange Discussions Subject: RE: Investigating a Forged Message Ask McDonald, "Where exactly were you at 9:19AM this morning, and for how long before that, and who knew?" i.e. was he in the washroom with his $250 Italian leathers poking out underneath the stall, making noises that indicated extreme abdominal discomfort... :) > -----Original Message----- > From: Tim Ault [mailto:[EMAIL PROTECTED]] > Posted At: Friday, October 19, 2001 11:13 AM > Posted To: MSExchange Mailing List > Conversation: Investigating a Forged Message > Subject: RE: Investigating a Forged Message > > > Thanks. > > I believe item #1 (of my post) is most probable.. hell, I > must leave OL2k > open and unattended on my PC a dozen times every day for minutes at a > stretch. > > However, this takes balls. Considering the length and > articulate phrasing of > the message, it seems the person would have spent an > inordinate amount of > time at McDonald's desk. Certainly someone should have seen > somebody there. > > I have recommended they check the EV on the server which > McDonald's mailbox > resides for EV 1016's.. just incase the Admin was in on it. > > Tim. > > > -----Original Message----- > From: Wright, Steven [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:47 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > It appears that it was send via Exchange since there are no internet > addresses in the TO: FROM: fields. Also, if you check the > headers and there > is nothing there, then you have the culprit in-house and logging on > legitimately via the user's account. The original > suggestions below are > probably what occurred. > > How accessible is the VP's computer? May be someone took a quick > opportunity at an unattended computer. If they were very > clever, they might > have set the message to delay a day or so before delivery. > > Hope everyone at the company took it seriously and went home ;-) > > Steve > > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:39 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Headers, Let us see the headers. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault > Sent: Friday, October 19, 2001 8:33 AM > To: Exchange Discussions > Subject: Investigating a Forged Message > > > Here's a little something some of you may enjoy this fine Friday.. put > on your investigator hats.. > > My wife forwarded this message to me: > > > From: McDonald, Arthur K. > > Sent: Friday, October 19, 2001 9:19 AM > > To: EPDS Contractors; EPDS - EPI Data Systems > > Subject: Much to be grateful for... > > > > All of us in this division have much to be grateful for and > for that > > reason, I would like to encourage each of you to go home at noon > > today. You may use my annual leave since I have far more > than I will > > ever use. Go home, be with your families, talk with your neighbors, > > love life and be grateful for all we have in this great nation of > > ours. Then come back on Monday refreshed and ready to take on the > > world! > > ahem.. *chortle* ..well, in any event, "Arthur", VP (Very > Pissed), wants > a head on a pike. I will offer to him (via my woman) the following > likely prospects: > > 1) The culprit got direct access to OL2k on the desktop; > 2) The culprit knew Arthur's username & password; > 3) A confederate Exchange Admin granted "User" or "Send as" permission > to culprit > 4) Culprit spoofed the message from an SMTP srvr, or used a similar > serve from the web. > > Feel free to presume the obvious; and I can pass along a few details > that have be provide me. Care to contribute? > > Tim. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
