We just crossed in to painful territory.
-sc -----Original Message----- From: Sherry Abercrombie <[email protected]> Sent: Wednesday, July 22, 2009 11:31 AM To: MS-Exchange Admin Issues <[email protected]> Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Trolling, yup, and you went for it, hook, line and sinker ;) On Wed, Jul 22, 2009 at 10:27 AM, Andy Shook <[email protected]> wrote: Does that make you a Shook troll? Shook From: Sherry Abercrombie [mailto:[email protected]] Sent: Wednesday, July 22, 2009 11:23 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) LOL, it worked.....I knew that Shookie would have to make a comment about that when I typed it.....;) On Wed, Jul 22, 2009 at 10:18 AM, Andy Shook <[email protected]> wrote: ME2 and I both do it, it's painless and works HmmmmÂ…. Shook From: Sherry Abercrombie [mailto:[email protected]] Sent: Wednesday, July 22, 2009 11:18 AM To: MS-Exchange Admin Issues Subject: Re: Making sure all can read... (was RE: 2k3 message tracking-Resolved) Why not use gmail for reading mailing lists. ME2 and I both do it, it's painless and works..... On Wed, Jul 22, 2009 at 9:20 AM, Jason Gurtz <[email protected]> wrote: All: Because Listserv seems to subtly break mime headers, posting to the list in anything other than a plain-text 8-bit charset will likely result in some people being unable to read your message. Also, sending mail in UTF will cause those who use Eudora to Kvetch endlessly until you fix your posting style (but don't EVER suggest they switch to something that's supported!) ;) I sure am glad I don't use my gmail for reading mailing lists! ~JasonG > -----Original Message----- > From: Peter van Houten [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 09:54 > To: MS-Exchange Admin Issues > Subject: Re: 2k3 message tracking-Resolved > > You have to be joking! > > Jason G. help him... > > -- > Peter van Houten > > On the 22/07/2009 15:48, [email protected] wrote the > following: > > +ADw-html xmlns:v+AD0AIg-urn:schemas-microsoft-com:vml+ACI- > > xmlns:o+AD0AIg-urn:schemas-microsoft-com:office:office+ACI- > > xmlns:w+AD0AIg-urn:schemas-microsoft-com:office:word+ACI- > > xmlns:m+AD0AIg-http://schemas.microsoft.com/office/2004/12/omml+ACI- > > xmlns+AD0AIg-http://www.w3.org/TR/REC-html40+ACIAPg- +ADw-head+AD4- > > +ADw-meta http-equiv+AD0-Content-Type content+AD0AIg-text/html+ADs- > > charset+AD0-utf-7+ACIAPg- +ADw-meta name+AD0-Generator > > content+AD0AIg-Microsoft Word 12 (filtered medium)+ACIAPg- > > +ADwAIQ---+AFs-if +ACE-mso+AF0APg- +ADw-style+AD4- v+AFw-:+ACo- > > +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- o+AFw-:+ACo- > > +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- w+AFw-:+ACo- > > +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- .shape > > +AHs-behavior:url(+ACM-default+ACM-VML)+ADsAfQ- +ADw-/style+AD4- > > +ADwAIQBb-endif+AF0---+AD4- +ADw-style+AD4- +ADwAIQ--- /+ACo- Font > > Definitions +ACo-/ +AEA-font-face +AHs-font-family:Calibri+ADs- > > panose-1:2 15 5 2 2 2 4 3 2 4+ADsAfQ- +AEA-font-face > > +AHs-font-family:Tahoma+ADs- panose-1:2 11 6 4 3 5 4 4 2 4+ADsAfQ- > > /+ACo- Style Definitions +ACo-/ p.MsoNormal, li.MsoNormal, > div.MsoNormal > > +AHs-margin:0in+ADs- margin-bottom:.0001pt+ADs- font-size:11.0pt+ADs- > > font-family:+ACI-Calibri+ACI-,+ACI-sans-serif+ACIAOwB9- a:link, > > span.MsoHyperlink +AHs-mso-style-priority:99+ADs- color:blue+ADs- > > text-decoration:underline+ADsAfQ- a:visited, span.MsoHyperlinkFollowed > > +AHs-mso-style-priority:99+ADs- color:purple+ADs- > > text-decoration:underline+ADsAfQ- p.MsoPlainText, li.MsoPlainText, > > div.MsoPlainText +AHs-mso-style-priority:99+ADs- > > mso-style-link:+ACI-Plain Text Char+ACIAOw- margin:0in+ADs- > > margin-bottom:.0001pt+ADs- font-size:10.0pt+ADs- > > font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- p.MsoAcetate, > > li.MsoAcetate, div.MsoAcetate +AHs-mso-style-priority:99+ADs- > > mso-style-link:+ACI-Balloon Text Char+ACIAOw- margin:0in+ADs- > > margin-bottom:.0001pt+ADs- font-size:8.0pt+ADs- > > font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- > > span.PlainTextChar +AHs-mso-style-name:+ACI-Plain Text Char+ACIAOw- > > mso-style-priority:99+ADs- mso-style-link:+ACI-Plain Text+ACIAOw- > > font-family:+ACI-Arial+ACI-,+ACI-sans-serif+ACIAOwB9- > > span.BalloonTextChar +AHs-mso-style-name:+ACI-Balloon Text Char+ACIAOw- > > mso-style-priority:99+ADs- mso-style-link:+ACI-Balloon Text+ACIAOw- > > font-family:+ACI-Tahoma+ACI-,+ACI-sans-serif+ACIAOwB9- .MsoChpDefault > > +AHs-mso-style-type:export-only+ADsAfQ- +AEA-page Section1 > > +AHs-size:8.5in 11.0in+ADs- margin:1.0in 1.0in 1.0in 1.0in+ADsAfQ- > > div.Section1 +AHs-page:Section1+ADsAfQ- --+AD4- +ADw-/style+AD4- > > +ADwAIQ---+AFs-if gte mso 9+AF0APgA8-xml+AD4- +ADw-o:shapedefaults > > v:ext+AD0AIg-edit+ACI- spidmax+AD0AIg-2050+ACI- /+AD4- > > +ADw-/xml+AD4APAAhAFs-endif+AF0---+AD4APAAh---+AFs-if gte mso > > 9+AF0APgA8-xml+AD4- +ADw-o:shapelayout v:ext+AD0AIg-edit+ACIAPg- > > +ADw-o:idmap v:ext+AD0AIg-edit+ACI- data+AD0AIg-1+ACI- /+AD4- > > +ADw-/o:shapelayout+AD4APA-/xml+AD4APAAhAFs-endif+AF0---+AD4- > > +ADw-/head+AD4- +ADw-body lang+AD0-EN-US link+AD0-blue > > vlink+AD0-purple+AD4- +ADw-div class+AD0-Section1+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-If they used the mailbox (Outlook or OWA) > > you'd see something in sent items. +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-This telnet is from my workstation to > > one of our bridgeheads to a hotmail account. It isn+IBk-t in my sent > > items but the hotmail account got it. > > +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-I+IBk-d guess the script used did the same > > thing, just a whole lot faster+ACEAPA-o:p+AD4APA-/o:p+AD4APA-/p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-.+ADw-img width+AD0-383 height+AD0- > 242 > > id+AD0AIg-Picture+AF8-x0020+AF8-1+ACI- > > src+AD0AIg-cid:image003.jpg+AEA-01CA0AB1.8E1A0700+ACIAPgA8-o:p+AD4APA- > /o:p+AD4APA-/p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4------Original Message-----+ADw- > br+AD4- > > From: Glen Johnson +AFs-mailto:gjohnson+AEA-vhcc.edu+AF0- <mailto:gjohnson%2BAEA-vhcc.edu%2BAF0-> +ADw-br+AD4- > > Sent: Wednesday, July 22, 2009 9:08 AM+ADw-br+AD4- To: MS-Exchange > Admin > > Issues+ADw-br+AD4- Subject: RE: 2k3 message > > tracking-Resolved+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-Thanks to all for the > > suggestions.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-I finally had time to work on this more and > > found where the two users had replied to phishing emails, provided > their > > user name and password.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-Looks like the phishers have a script that > > runs against owa and sends out all the > > spam.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-The guilty users are being dealt with by > > their supervisors.+ACY-nbsp+ADs- I suggested a clue-by-four upside the > > head as they been through security training(twice) that addresses this > > exact issue.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-Oh well, job > > security.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-One last > > question.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-Is it possible to tell if the email were > > dumped into the exchange server via owa or an outlook > > client.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-I'm not seeing any reference to Outlook in > > the messages so I'm leaning towards > > OWA.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4------Original > > Message-----+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-From: Jason Gurtz > > +AFs-mailto:jasongurtz+AEA-npumail.com+AF0- <mailto:jasongurtz%2BAEA-npumail.com%2BAF0-> > > +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-Sent: Tuesday, July 21, 2009 3:49 > > PM+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-To: MS-Exchange Admin > > Issues+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-Subject: RE: 2k3 message > > tracking+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- When I reset the password > > on the two accounts that were sending all > > the+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4AJg-gt+ADs- spam, it stopped and hasn+IBk-t > > returned so the only conclusion I+IBk-ve come > > up+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4AJg-gt+ADs- with is that these two accounts > > got their password stolen, and then > > some+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4AJg-gt+ADs- script or bot accessed their OWA > > account and sent all the spam.+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw- > p > > class+AD0-MsoPlainText+AD4AJg-gt+ADsAPA-o:p+AD4AJg-nbsp+ADsAPA- > /o:p+AD4APA-/p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4AJg-gt+ADs- Does that sound > > possible/logical?+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-Sounds like the users where phished > > and from what I've heard, this is > > very+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-common at edu's.+ACY-nbsp+ADs- You might > want > > to check out installing something like > > +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-Untangle which has an anti-phishing filter > > +ACY-lt+ADs-http://www.untangle.com/+ACY-gt+ADs- in > > +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-front of your mail > > server(s).+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-If you're motivated enough to install > > a Linux based mail gateway you may+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-be +ADw-o:p+AD4APA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-able to use this nifty scanning > > software called Kochi which actually > > tries+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-to authenticate to your > > AD:+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4AJg-lt+ADs- > http://oss.lboro.ac.uk/kochi1.html+ACY-gt+ADsAPA-o:p+AD4APA-/o:p+AD4APA- > /p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p class+AD0-MsoPlainText+AD4-I guess there's some client based > > tools too to stem the flow of passwords > > +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-through the browser, check out the Wikipedia > > article for a list of things+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw-p > > class+AD0-MsoPlainText+AD4-to +ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- +ADw- > p > > class+AD0-MsoPlainText+AD4-try: > > http://en.wikipedia.org/wiki/Anti-phishing+AF8-software+ADw-o:p+AD4APA- > /o:p+AD4APA-/p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4Afg-JasonG+ADw-o:p+AD4APA-/o:p+AD4APA-/p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-p > > class+AD0-MsoPlainText+AD4APA-o:p+AD4AJg-nbsp+ADsAPA-/o:p+AD4APA- > /p+AD4- > > +ADw-/div+AD4- +ADw-/body+AD4- +ADw-/html+AD4- -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States
