So, the only head which really needs to on a pike is that of one Mr. McDonald?
Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! > -----Original Message----- > From: Tim Ault [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 2:58 PM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > ha.. actually I just learned he 'was' asked that question.. > > Turns out, ol' McDonald was away from his desk from 9 till > 10am and left his box accessible. All indications are that > the message was sent from the client on his desk. The message > was found in the Sent Items of his mailbox. There appears to > have been no logon recorded in Admin during that hour > (implying his mailbox was not opened from another PC), and > there were no suspicious 1016's (implying the Admin was not > in on it). The message was of blue Arial font (implying OWA > was not used to send it, and his password is secure), and > there was no access recorded by the box acting as the SMTP > server (implying O.E. was not used to send it, and his creds > are secure). Oh.. and someone saw somebody at his desk around > the time (implying.. oh > hell..) > > so they figured it out. > this was not quite the challenge I thought it'd be. > > Tim. > > -----Original Message----- > From: Tom Meunier [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 12:38 PM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Ask McDonald, "Where exactly were you at 9:19AM this morning, > and for how long before that, and who knew?" > > i.e. was he in the washroom with his $250 Italian leathers > poking out underneath the stall, making noises that indicated > extreme abdominal discomfort... :) > > > > -----Original Message----- > > From: Tim Ault [mailto:[EMAIL PROTECTED]] > > Posted At: Friday, October 19, 2001 11:13 AM > > Posted To: MSExchange Mailing List > > Conversation: Investigating a Forged Message > > Subject: RE: Investigating a Forged Message > > > > > > Thanks. > > > > I believe item #1 (of my post) is most probable.. hell, I > > must leave OL2k > > open and unattended on my PC a dozen times every day for > minutes at a > > stretch. > > > > However, this takes balls. Considering the length and > > articulate phrasing of > > the message, it seems the person would have spent an > > inordinate amount of > > time at McDonald's desk. Certainly someone should have seen > > somebody there. > > > > I have recommended they check the EV on the server which > > McDonald's mailbox > > resides for EV 1016's.. just incase the Admin was in on it. > > > > Tim. > > > > > > -----Original Message----- > > From: Wright, Steven [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 19, 2001 11:47 AM > > To: Exchange Discussions > > Subject: RE: Investigating a Forged Message > > > > > > It appears that it was send via Exchange since there are no > internet > > addresses in the TO: FROM: fields. Also, if you check the > headers and > > there is nothing there, then you have the culprit in-house > and logging > > on legitimately via the user's account. The original > > suggestions below are > > probably what occurred. > > > > How accessible is the VP's computer? May be someone took a quick > > opportunity at an unattended computer. If they were very > clever, they > > might have set the message to delay a day or so before delivery. > > > > Hope everyone at the company took it seriously and went home ;-) > > > > Steve > > > > -----Original Message----- > > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > > Sent: Friday, October 19, 2001 11:39 AM > > To: Exchange Discussions > > Subject: RE: Investigating a Forged Message > > > > > > Headers, Let us see the headers. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault > > Sent: Friday, October 19, 2001 8:33 AM > > To: Exchange Discussions > > Subject: Investigating a Forged Message > > > > > > Here's a little something some of you may enjoy this fine > Friday.. put > > on your investigator hats.. > > > > My wife forwarded this message to me: > > > > > From: McDonald, Arthur K. > > > Sent: Friday, October 19, 2001 9:19 AM > > > To: EPDS Contractors; EPDS - EPI Data Systems > > > Subject: Much to be grateful for... > > > > > > All of us in this division have much to be grateful for and > > for that > > > reason, I would like to encourage each of you to go home at noon > > > today. You may use my annual leave since I have far more > > than I will > > > ever use. Go home, be with your families, talk with your > neighbors, > > > love life and be grateful for all we have in this great nation of > > > ours. Then come back on Monday refreshed and ready to > take on the > > > world! > > > > ahem.. *chortle* ..well, in any event, "Arthur", VP (Very > > Pissed), wants > > a head on a pike. I will offer to him (via my woman) the following > > likely prospects: > > > > 1) The culprit got direct access to OL2k on the desktop; > > 2) The culprit knew Arthur's username & password; > > 3) A confederate Exchange Admin granted "User" or "Send as" > permission > > to culprit > > 4) Culprit spoofed the message from an SMTP srvr, or used a similar > > serve from the web. > > > > Feel free to presume the obvious; and I can pass along a > few details > > that have be provide me. Care to contribute? > > > > Tim. > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
