I have done that minus the Web cam. I sit near the guy. It was quite funny to watch the guy aimlessly try to figure out why his PC was "locked" up. Reboot, Reboot, Reboot, Reboot. REPEAT for a long time, before he hears me laughing and figures out that he should probably boot with a floppy and search for modified files.
>>>-----Original Message----- >>>From: Roger Seielstad [mailto:[EMAIL PROTECTED]] >>>Sent: Monday, October 22, 2001 1:38 PM >>>To: Exchange Discussions >>>Subject: RE: Investigating a Forged Message >>> >>> >>>I seem to recall that the password change requires the >>>current password to be entered before changing. Makes your >>>suggestion a little hard to implement. >>> >>>Personally, I would have taken a screenshot of the desktop, >>>as is. Set the screenshot as the wallpaper, hide the >>>taskbar, and move all icons off the desktop. Then set up a web cam. >>> >>>Not that I've ever done that, mind you, but it just came to mind. >>> >>>Roger >>>------------------------------------------------------ >>>Roger D. Seielstad - MCSE MCT >>>Senior Systems Administrator >>>Peregrine Systems >>>Atlanta, GA >>>http://www.peregrine.com >>> >>> >>>> -----Original Message----- >>>> From: Monteleone-Haught Matt - Millville >>>> [mailto:[EMAIL PROTECTED]] >>>> Sent: Friday, October 19, 2001 4:36 PM >>>> To: Exchange Discussions >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> Said prankster should have in addition to sending the message >>>> [1] changed >>>> his password to "Don'tLeaveYourWorkstationUnlockedFool" and >>>> then locked the >>>> workstation. >>>> >>>> Matthew >>>> [1] I don't advocate what said prankster did [2] >>>> [2] although I did get a good chuckle out of it [3] >>>> [3] considering I had a rotten day because of a clueless >>>VP.[4] [4] I >>>> don't know Sherry [5] but I think your supposed to say Hi, so Hi >>>> Sherry [5] Not that I've had the opportunity or wouldn't >>>welcome the >>>> opportunity. >>>> >>>> >>>> >>>-----Original Message----- >>>> >>>From: Chris Scharff [mailto:[EMAIL PROTECTED]] >>>> >>>Sent: Friday, October 19, 2001 3:57 PM >>>> >>>To: Exchange Discussions >>>> >>>Subject: RE: Investigating a Forged Message >>>> >>> >>>> >>> >>>> >>>So, the only head which really needs to on a pike is that of >>>> >>>one Mr. McDonald? >>>> >>> >>>> >>>Chris >>>> >>>-- >>>> >>>Chris Scharff >>>> >>>Senior Sales Engineer >>>> >>>MessageOne >>>> >>>If you can't measure, you can't manage! >>>> >>> >>>> >>> >>>> >>>> -----Original Message----- >>>> >>>> From: Tim Ault [mailto:[EMAIL PROTECTED]] >>>> >>>> Sent: Friday, October 19, 2001 2:58 PM >>>> >>>> To: Exchange Discussions >>>> >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> >>>> >>>> >>>> ha.. actually I just learned he 'was' asked that question.. >>>> >>>> >>>> >>>> Turns out, ol' McDonald was away from his desk from 9 >>>till 10am >>>> >>>> and left his box accessible. All indications are that >>>the message >>>> >>>> was sent from the client on his desk. The message was >>>found in >>>> >>>> the Sent Items of his mailbox. There appears to have been no >>>> >>>> logon recorded in Admin during that hour (implying >>>his mailbox >>>> >>>> was not opened from another PC), and there were no suspicious >>>> >>>> 1016's (implying the Admin was not in on it). The >>>message was of >>>> >>>> blue Arial font (implying OWA was not used to send >>>it, and his >>>> >>>> password is secure), and there was no access recorded >>>by the box >>>> >>>> acting as the SMTP server (implying O.E. was not used >>>to send it, >>>> >>>> and his creds are secure). Oh.. and someone saw >>>somebody at his >>>> >>>> desk around the time (implying.. oh >>>> >>>> hell..) >>>> >>>> >>>> >>>> so they figured it out. >>>> >>>> this was not quite the challenge I thought it'd be. >>>> >>>> >>>> >>>> Tim. >>>> >>>> >>>> >>>> -----Original Message----- >>>> >>>> From: Tom Meunier [mailto:[EMAIL PROTECTED]] >>>> >>>> Sent: Friday, October 19, 2001 12:38 PM >>>> >>>> To: Exchange Discussions >>>> >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> >>>> >>>> >>>> Ask McDonald, "Where exactly were you at 9:19AM this >>>morning, and >>>> >>>> for how long before that, and who knew?" >>>> >>>> >>>> >>>> i.e. was he in the washroom with his $250 Italian >>>leathers poking >>>> >>>> out underneath the stall, making noises that >>>indicated extreme >>>> >>>> abdominal discomfort... :) >>>> >>>> >>>> >>>> >>>> >>>> > -----Original Message----- >>>> >>>> > From: Tim Ault [mailto:[EMAIL PROTECTED]] >>>> >>>> > Posted At: Friday, October 19, 2001 11:13 AM >>>> >>>> > Posted To: MSExchange Mailing List >>>> >>>> > Conversation: Investigating a Forged Message >>>> >>>> > Subject: RE: Investigating a Forged Message >>>> >>>> > >>>> >>>> > >>>> >>>> > Thanks. >>>> >>>> > >>>> >>>> > I believe item #1 (of my post) is most probable.. hell, >>>> >>>I must leave >>>> >>>> > OL2k open and unattended on my PC a dozen times >>>every day for >>>> >>>> minutes at a >>>> >>>> > stretch. >>>> >>>> > >>>> >>>> > However, this takes balls. Considering the length and >>>> articulate >>>> >>>> > phrasing of the message, it seems the person would >>>> have spent an >>>> >>>> > inordinate amount of >>>> >>>> > time at McDonald's desk. Certainly someone should have seen >>>> >>>> > somebody there. >>>> >>>> > >>>> >>>> > I have recommended they check the EV on the server which >>>> >>>McDonald's >>>> >>>> > mailbox resides for EV 1016's.. just incase the Admin >>>> >>>was in on it. >>>> >>>> > >>>> >>>> > Tim. >>>> >>>> > >>>> >>>> > >>>> >>>> > -----Original Message----- >>>> >>>> > From: Wright, Steven [mailto:[EMAIL PROTECTED]] >>>> >>>> > Sent: Friday, October 19, 2001 11:47 AM >>>> >>>> > To: Exchange Discussions >>>> >>>> > Subject: RE: Investigating a Forged Message >>>> >>>> > >>>> >>>> > >>>> >>>> > It appears that it was send via Exchange since there are no >>>> >>>> internet >>>> >>>> > addresses in the TO: FROM: fields. Also, if you check the >>>> >>>> headers and >>>> >>>> > there is nothing there, then you have the culprit in-house >>>> >>>> and logging >>>> >>>> > on legitimately via the user's account. The original >>>> >>>suggestions >>>> >>>> > below are probably what occurred. >>>> >>>> > >>>> >>>> > How accessible is the VP's computer? May be someone >>>> took a quick >>>> >>>> > opportunity at an unattended computer. If they were very >>>> >>>> clever, they >>>> >>>> > might have set the message to delay a day or so before >>>> delivery. >>>> >>>> > >>>> >>>> > Hope everyone at the company took it seriously and >>>> went home ;-) >>>> >>>> > >>>> >>>> > Steve >>>> >>>> > >>>> >>>> > -----Original Message----- >>>> >>>> > From: Martin Blackstone >>>[mailto:[EMAIL PROTECTED]] >>>> >>>> > Sent: Friday, October 19, 2001 11:39 AM >>>> >>>> > To: Exchange Discussions >>>> >>>> > Subject: RE: Investigating a Forged Message >>>> >>>> > >>>> >>>> > >>>> >>>> > Headers, Let us see the headers. >>>> >>>> > >>>> >>>> > -----Original Message----- >>>> >>>> > From: [EMAIL PROTECTED] >>>> >>>> > [mailto:[EMAIL PROTECTED]] On Behalf >>>> Of Tim Ault >>>> >>>> > Sent: Friday, October 19, 2001 8:33 AM >>>> >>>> > To: Exchange Discussions >>>> >>>> > Subject: Investigating a Forged Message >>>> >>>> > >>>> >>>> > >>>> >>>> > Here's a little something some of you may enjoy this fine >>>> >>>> Friday.. put >>>> >>>> > on your investigator hats.. >>>> >>>> > >>>> >>>> > My wife forwarded this message to me: >>>> >>>> > >>>> >>>> > > From: McDonald, Arthur K. >>>> >>>> > > Sent: Friday, October 19, 2001 9:19 AM >>>> >>>> > > To: EPDS Contractors; EPDS - EPI Data Systems >>>> >>>> > > Subject: Much to be grateful for... >>>> >>>> > > >>>> >>>> > > All of us in this division have much to be >>>grateful for and >>>> >>>> > for that >>>> >>>> > > reason, I would like to encourage each of you to go >>>> >>>home at noon >>>> >>>> > > today. You may use my annual leave since I have far more >>>> >>>> > than I will >>>> >>>> > > ever use. Go home, be with your families, talk with your >>>> >>>> neighbors, >>>> >>>> > > love life and be grateful for all we have in this >>>> >>>great nation of >>>> >>>> > > ours. Then come back on Monday refreshed and ready to >>>> >>>> take on the >>>> >>>> > > world! >>>> >>>> > >>>> >>>> > ahem.. *chortle* ..well, in any event, "Arthur", VP >>>> >>>(Very Pissed), >>>> >>>> > wants a head on a pike. I will offer to him (via my >>>woman) the >>>> >>>> > following likely prospects: >>>> >>>> > >>>> >>>> > 1) The culprit got direct access to OL2k on the desktop; >>>> >>>> > 2) The culprit knew Arthur's username & password; >>>> >>>> > 3) A confederate Exchange Admin granted "User" or "Send as" >>>> >>>> permission >>>> >>>> > to culprit >>>> >>>> > 4) Culprit spoofed the message from an SMTP srvr, or >>>> >>>used a similar >>>> >>>> > serve from the web. >>>> >>>> > >>>> >>>> > Feel free to presume the obvious; and I can pass along a >>>> >>>> few details >>>> >>>> > that have be provide me. Care to contribute? >>>> >>>> > >>>> >>>> > Tim. >>>> >>>> > >>>> >>>> > >>>> _________________________________________________________________ >>>> >>>> > List posting FAQ: >>>> >>>http://www.swinc.com/resource/exch_faq.htm >>>> >>>> > Archives: >>>> >>>http://www.swynk.com/sitesearch/search.asp >>>> >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> >>>> > >>>> >>>> > >>>> >>>> > >>>> _________________________________________________________________ >>>> >>>> > List posting FAQ: >>>> >>>http://www.swinc.com/resource/exch_faq.htm >>>> >>>> > Archives: >>>> >>>http://www.swynk.com/sitesearch/search.asp >>>> >>>> > To >>>> >>>unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> >>>> > >>>> >>>> > >>>> _________________________________________________________________ >>>> >>>> > List posting FAQ: >>>> >>>http://www.swinc.com/resource/exch_faq.htm >>>> >>>> > Archives: >>>> >>> http://www.swynk.com/sitesearch/search.asp >>>> >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> >>>> > >>>> >>>> > >>>> _________________________________________________________________ >>>> >>>> > List posting FAQ: >>>> >>>http://www.swinc.com/resource/exch_faq.htm >>>> >>>> > Archives: >>>> >>> http://www.swynk.com/sitesearch/search.asp >>>> >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> >>>> > >>>> >>>> >>>> >>>> >>>_________________________________________________________________ >>>> >>>> List posting FAQ: >>>> http://www.swinc.com/resource/exch_faq.htm >>>> >>>> Archives: >>>> http://www.swynk.com/sitesearch/search.asp >>>> >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>>> >>>> >>>> >>>_________________________________________________________________ >>>> >>>> List posting FAQ: >>>> http://www.swinc.com/resource/exch_faq.htm >>>> >>>> Archives: >>>> http://www.swynk.com/sitesearch/search.asp >>>> >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>>> >>>> >>> >>>> >>>>>>_________________________________________________________________ >>>> >>>List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> >>>Archives: >>> http://www.swynk.com/sitesearch/search.asp >>>> >>>To unsubscribe: mailto:[EMAIL PROTECTED] >>>> >>>Exchange List admin: [EMAIL PROTECTED] >>>> >>> >>>> >>>> _________________________________________________________________ >>>> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>> Archives: http://www.swynk.com/sitesearch/search.asp >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>> >>>_________________________________________________________________ >>>List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>Archives: http://www.swynk.com/sitesearch/search.asp >>>To unsubscribe: mailto:[EMAIL PROTECTED] >>>Exchange List admin: [EMAIL PROTECTED] >>> _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
