We don't have IM. -----Original Message----- From: Ed Crowley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 10:51 PM To: Exchange Discussions Subject: RE: The SEC is killing me.
What are you doing about instant messaging? Don't you have to keep all IM transactions as well? Ed Crowley MCSE+I MVP Technical Consultant hp Services "There are seldom good technological solutions to behavioral problems." -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dupler, Craig Sent: Wednesday, January 15, 2003 6:34 PM To: Exchange Discussions Subject: RE: The SEC is killing me. This will not help you with your SEC problem. It's just a musing and is merely to suggest that no audit technique is fool proof. I think that any system that you can design, a clever person can get around. Let me suggest a scenario from back in the days when I was working on virus delivery techniques and counter measures. The key to this particular "almost impossible to detect" nefarious message delivery technique would be to send a message to an external mailbox that had a client running against it with in-box rules enabled. The client could parse the message and execute a script or even an external program that would generate another message, which could be sent to any smtp address (or in the case of a virus, do nefarious things on its own local network). So let's say I send a one word message to my home mailbox that says "hi." That could trigger a script that sends a message to tell someone to sell. Another script triggered by "dinner tonight" could trigger a script that generates the buy message. You get the idea. The offending message itself can be as simple or complex but apparently harmless cipher that you could imagine. It could even be embedded in a pattern that looks like I'm sending a daily (or better yet, apparently random and occasional) note commenting on tonight's menu, with an "if message text contains" filter at the other end. A hindered word note that contained the phrase "rare steak" could be the trigger. The "to" address is not that of the ultimate recipient, and the instruction in a form that you could detect is beyond the reach of your archives and searches. There reality is, that you simply cannot filter for this sort of thing in your archives. You can find someone that is being stupid or careless, but not someone that is cunning and deliberate. The extent to which variations on this technique can be used is frightening. Consider what a batch file on a DOS machine could do, in terms of generating an Assembly language program by having VB Script simply write stings from an Excel or Word document to a text file. The VB Script does not even have to travel with the Office document, but can simply be running on the machine on the receiving end. Such a trigger can be hidden behind layer upon layer of isolating techniques. The initial trigger instruction does not have to be sent via SMTP. A FAX to something like a SatisFAXtion modem or a call to an IVR system listening for a specific DMTF sequence that would not be recorded by your phone system can do it. A web site can do it. Web mail to your home smtp address can do it. A cellular call . . . You get the idea. Every link will leave some tracks, but those tracks can be incomplete and look very harmless. Back in the 80's before Microsoft Office became the dominant office suite, there was a product called "Smartware" by a small company in Lenexa, Kansas that was later purchased by Informix and destroyed. Smartware had the equivalent of VBA in all of its modules, and it had a communications module. The second version of the package even had PEEK and POKE instructions. Imagine what you could do with that today in and administrative security context on a Win2K machine in an Internet world. Nedry (a transposition of "nerdy") is still out there. -----Original Message----- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:45 PM To: Exchange Discussions Subject: Re: The SEC is killing me. There are a number of archival solutions out there. Some of them are listed at www.mail-resources.com in addition to the ones Gary mentioned. Contact me offline, I might have some other ideas. On 1/15/03 17:05, "Clemens, Rick" <[EMAIL PROTECTED]> wrote: Mixed Exchange 5.5 SP4 / Exchange 2000 SP3 100% Active Directory 100% Windows 2000 Advanced Server SP4 Our Legal and Security department wants us to provide the ability to access every e-mail the company sends or receives for a period of 90 days to satisfy certain SEC requirements. The original plan was to Journal everything into a mailbox using an Exchange 5.5 server. It worked in so far as all the mail went to the mailbox...but...After it got over 1000000 messages outlook didn't do a very good job searching it. So we moved the Journal to Exchange 2000 and are Indexing it. With 500000 messages so far Outlook searches it pretty fast. So far so good. I guess my questions is....what is everyone else out there doing to satisfy SEC requirements for Electronic Documents Retention? Is there a better way? Or Better Software? _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
