Yep. That's the fact, jack. Roger ------------------------------------------------------ Roger D. Seielstad - MCSE MCT Senior Systems Administrator Peregrine Systems Atlanta, GA http://www.peregrine.com
> -----Original Message----- > From: Tim Ault [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 9:19 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Thanks. > > Coincidental time and date of a 1016 would be a good > indicator of suspicious > activity. > Also, Reviewer access is not "on" by default in OL2k's > Calendar; however, I > do not know the delegate settings on McDonald's mailbox. > > (btw: Really? I never noticed that.. Are you certain?) > > Tim. > > > -----Original Message----- > From: John Matteson [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 12:02 PM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > You have to be careful about using the Event log data as evidence. If > someone just looks at the calendar, it shows that the user > logged on but was > not the owner of the mailbox. > > John Matteson; Exchange Manager > Geac Corporate Infrastructure Systems and Standards > (404) 239 - 2981 > Believe nothing because it is written in books. Believe > nothing because wise > men say it is so. Believe nothing because it is religious > doctrine. Believe > it only because you yourself know it to be true. -- Buddha > > > -----Original Message----- > From: Tristan Gayford [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:51 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > If they didn't use his username/password, there would be an > event in the > event log - get the IT people to have a look (or maybe they did > it..............) > > > > -----Original Message----- > From: Tim Ault [mailto:[EMAIL PROTECTED]] > Sent: 19 October 2001 16:33 > To: Exchange Discussions > Subject: Investigating a Forged Message > > > Here's a little something some of you may enjoy this fine > Friday.. put on > your investigator hats.. > > My wife forwarded this message to me: > > > From: McDonald, Arthur K. > > Sent: Friday, October 19, 2001 9:19 AM > > To: EPDS Contractors; EPDS - EPI Data Systems > > Subject: Much to be grateful for... > > > > All of us in this division have much to be grateful for and > for that > > reason, I would like to encourage each of you to go home at noon > > today. You may use my annual leave since I have far more > than I will > > ever use. Go home, be with your families, talk with your neighbors, > > love life and be grateful for all we have in this great nation of > > ours. Then come back on Monday refreshed and ready to take on the > > world! > > ahem.. *chortle* ..well, in any event, "Arthur", VP (Very > Pissed), wants a > head on a pike. I will offer to him (via my woman) the > following likely > prospects: > > 1) The culprit got direct access to OL2k on the desktop; > 2) The culprit knew Arthur's username & password; > 3) A confederate Exchange Admin granted "User" or "Send as" > permission to > culprit > 4) Culprit spoofed the message from an SMTP srvr, or used a > similar serve > from the web. > > Feel free to presume the obvious; and I can pass along a few > details that > have be provide me. Care to contribute? > > Tim. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
