If they didn't use his username/password, there would be an event in the event log - get the IT people to have a look (or maybe they did it..............)
-----Original Message----- From: Tim Ault [mailto:[EMAIL PROTECTED]] Sent: 19 October 2001 16:33 To: Exchange Discussions Subject: Investigating a Forged Message Here's a little something some of you may enjoy this fine Friday.. put on your investigator hats.. My wife forwarded this message to me: > From: McDonald, Arthur K. > Sent: Friday, October 19, 2001 9:19 AM > To: EPDS Contractors; EPDS - EPI Data Systems > Subject: Much to be grateful for... > > All of us in this division have much to be grateful for and for that > reason, I would like to encourage each of you to go home at noon > today. You may use my annual leave since I have far more than I will > ever use. Go home, be with your families, talk with your neighbors, > love life and be grateful for all we have in this great nation of > ours. Then come back on Monday refreshed and ready to take on the > world! ahem.. *chortle* ..well, in any event, "Arthur", VP (Very Pissed), wants a head on a pike. I will offer to him (via my woman) the following likely prospects: 1) The culprit got direct access to OL2k on the desktop; 2) The culprit knew Arthur's username & password; 3) A confederate Exchange Admin granted "User" or "Send as" permission to culprit 4) Culprit spoofed the message from an SMTP srvr, or used a similar serve from the web. Feel free to presume the obvious; and I can pass along a few details that have be provide me. Care to contribute? Tim. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]