Very certain! -----Original Message----- From: Tim Ault [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 9:19 AM To: Exchange Discussions Subject: RE: Investigating a Forged Message
Thanks. Coincidental time and date of a 1016 would be a good indicator of suspicious activity. Also, Reviewer access is not "on" by default in OL2k's Calendar; however, I do not know the delegate settings on McDonald's mailbox. (btw: Really? I never noticed that.. Are you certain?) Tim. -----Original Message----- From: John Matteson [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 12:02 PM To: Exchange Discussions Subject: RE: Investigating a Forged Message You have to be careful about using the Event log data as evidence. If someone just looks at the calendar, it shows that the user logged on but was not the owner of the mailbox. John Matteson; Exchange Manager Geac Corporate Infrastructure Systems and Standards (404) 239 - 2981 Believe nothing because it is written in books. Believe nothing because wise men say it is so. Believe nothing because it is religious doctrine. Believe it only because you yourself know it to be true. -- Buddha -----Original Message----- From: Tristan Gayford [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 11:51 AM To: Exchange Discussions Subject: RE: Investigating a Forged Message If they didn't use his username/password, there would be an event in the event log - get the IT people to have a look (or maybe they did it..............) -----Original Message----- From: Tim Ault [mailto:[EMAIL PROTECTED]] Sent: 19 October 2001 16:33 To: Exchange Discussions Subject: Investigating a Forged Message Here's a little something some of you may enjoy this fine Friday.. put on your investigator hats.. My wife forwarded this message to me: > From: McDonald, Arthur K. > Sent: Friday, October 19, 2001 9:19 AM > To: EPDS Contractors; EPDS - EPI Data Systems > Subject: Much to be grateful for... > > All of us in this division have much to be grateful for and for that > reason, I would like to encourage each of you to go home at noon > today. You may use my annual leave since I have far more than I will > ever use. Go home, be with your families, talk with your neighbors, > love life and be grateful for all we have in this great nation of > ours. Then come back on Monday refreshed and ready to take on the > world! ahem.. *chortle* ..well, in any event, "Arthur", VP (Very Pissed), wants a head on a pike. I will offer to him (via my woman) the following likely prospects: 1) The culprit got direct access to OL2k on the desktop; 2) The culprit knew Arthur's username & password; 3) A confederate Exchange Admin granted "User" or "Send as" permission to culprit 4) Culprit spoofed the message from an SMTP srvr, or used a similar serve from the web. Feel free to presume the obvious; and I can pass along a few details that have be provide me. Care to contribute? Tim. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]