Said prankster should have in addition to sending the message [1] changed his password to "Don'tLeaveYourWorkstationUnlockedFool" and then locked the workstation.
Matthew [1] I don't advocate what said prankster did [2] [2] although I did get a good chuckle out of it [3] [3] considering I had a rotten day because of a clueless VP.[4] [4] I don't know Sherry [5] but I think your supposed to say Hi, so Hi Sherry [5] Not that I've had the opportunity or wouldn't welcome the opportunity. >>>-----Original Message----- >>>From: Chris Scharff [mailto:[EMAIL PROTECTED]] >>>Sent: Friday, October 19, 2001 3:57 PM >>>To: Exchange Discussions >>>Subject: RE: Investigating a Forged Message >>> >>> >>>So, the only head which really needs to on a pike is that of >>>one Mr. McDonald? >>> >>>Chris >>>-- >>>Chris Scharff >>>Senior Sales Engineer >>>MessageOne >>>If you can't measure, you can't manage! >>> >>> >>>> -----Original Message----- >>>> From: Tim Ault [mailto:[EMAIL PROTECTED]] >>>> Sent: Friday, October 19, 2001 2:58 PM >>>> To: Exchange Discussions >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> ha.. actually I just learned he 'was' asked that question.. >>>> >>>> Turns out, ol' McDonald was away from his desk from 9 till >>>> 10am and left his box accessible. All indications are that >>>> the message was sent from the client on his desk. The message >>>> was found in the Sent Items of his mailbox. There appears to >>>> have been no logon recorded in Admin during that hour >>>> (implying his mailbox was not opened from another PC), and >>>> there were no suspicious 1016's (implying the Admin was not >>>> in on it). The message was of blue Arial font (implying OWA >>>> was not used to send it, and his password is secure), and >>>> there was no access recorded by the box acting as the SMTP >>>> server (implying O.E. was not used to send it, and his creds >>>> are secure). Oh.. and someone saw somebody at his desk around >>>> the time (implying.. oh >>>> hell..) >>>> >>>> so they figured it out. >>>> this was not quite the challenge I thought it'd be. >>>> >>>> Tim. >>>> >>>> -----Original Message----- >>>> From: Tom Meunier [mailto:[EMAIL PROTECTED]] >>>> Sent: Friday, October 19, 2001 12:38 PM >>>> To: Exchange Discussions >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> Ask McDonald, "Where exactly were you at 9:19AM this morning, >>>> and for how long before that, and who knew?" >>>> >>>> i.e. was he in the washroom with his $250 Italian leathers >>>> poking out underneath the stall, making noises that indicated >>>> extreme abdominal discomfort... :) >>>> >>>> >>>> > -----Original Message----- >>>> > From: Tim Ault [mailto:[EMAIL PROTECTED]] >>>> > Posted At: Friday, October 19, 2001 11:13 AM >>>> > Posted To: MSExchange Mailing List >>>> > Conversation: Investigating a Forged Message >>>> > Subject: RE: Investigating a Forged Message >>>> > >>>> > >>>> > Thanks. >>>> > >>>> > I believe item #1 (of my post) is most probable.. hell, >>>I must leave >>>> > OL2k open and unattended on my PC a dozen times every day for >>>> minutes at a >>>> > stretch. >>>> > >>>> > However, this takes balls. Considering the length and articulate >>>> > phrasing of the message, it seems the person would have spent an >>>> > inordinate amount of >>>> > time at McDonald's desk. Certainly someone should have seen >>>> > somebody there. >>>> > >>>> > I have recommended they check the EV on the server which >>>McDonald's >>>> > mailbox resides for EV 1016's.. just incase the Admin >>>was in on it. >>>> > >>>> > Tim. >>>> > >>>> > >>>> > -----Original Message----- >>>> > From: Wright, Steven [mailto:[EMAIL PROTECTED]] >>>> > Sent: Friday, October 19, 2001 11:47 AM >>>> > To: Exchange Discussions >>>> > Subject: RE: Investigating a Forged Message >>>> > >>>> > >>>> > It appears that it was send via Exchange since there are no >>>> internet >>>> > addresses in the TO: FROM: fields. Also, if you check the >>>> headers and >>>> > there is nothing there, then you have the culprit in-house >>>> and logging >>>> > on legitimately via the user's account. The original >>>suggestions >>>> > below are probably what occurred. >>>> > >>>> > How accessible is the VP's computer? May be someone took a quick >>>> > opportunity at an unattended computer. If they were very >>>> clever, they >>>> > might have set the message to delay a day or so before delivery. >>>> > >>>> > Hope everyone at the company took it seriously and went home ;-) >>>> > >>>> > Steve >>>> > >>>> > -----Original Message----- >>>> > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] >>>> > Sent: Friday, October 19, 2001 11:39 AM >>>> > To: Exchange Discussions >>>> > Subject: RE: Investigating a Forged Message >>>> > >>>> > >>>> > Headers, Let us see the headers. >>>> > >>>> > -----Original Message----- >>>> > From: [EMAIL PROTECTED] >>>> > [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault >>>> > Sent: Friday, October 19, 2001 8:33 AM >>>> > To: Exchange Discussions >>>> > Subject: Investigating a Forged Message >>>> > >>>> > >>>> > Here's a little something some of you may enjoy this fine >>>> Friday.. put >>>> > on your investigator hats.. >>>> > >>>> > My wife forwarded this message to me: >>>> > >>>> > > From: McDonald, Arthur K. >>>> > > Sent: Friday, October 19, 2001 9:19 AM >>>> > > To: EPDS Contractors; EPDS - EPI Data Systems >>>> > > Subject: Much to be grateful for... >>>> > > >>>> > > All of us in this division have much to be grateful for and >>>> > for that >>>> > > reason, I would like to encourage each of you to go >>>home at noon >>>> > > today. You may use my annual leave since I have far more >>>> > than I will >>>> > > ever use. Go home, be with your families, talk with your >>>> neighbors, >>>> > > love life and be grateful for all we have in this >>>great nation of >>>> > > ours. Then come back on Monday refreshed and ready to >>>> take on the >>>> > > world! >>>> > >>>> > ahem.. *chortle* ..well, in any event, "Arthur", VP >>>(Very Pissed), >>>> > wants a head on a pike. I will offer to him (via my woman) the >>>> > following likely prospects: >>>> > >>>> > 1) The culprit got direct access to OL2k on the desktop; >>>> > 2) The culprit knew Arthur's username & password; >>>> > 3) A confederate Exchange Admin granted "User" or "Send as" >>>> permission >>>> > to culprit >>>> > 4) Culprit spoofed the message from an SMTP srvr, or >>>used a similar >>>> > serve from the web. >>>> > >>>> > Feel free to presume the obvious; and I can pass along a >>>> few details >>>> > that have be provide me. Care to contribute? >>>> > >>>> > Tim. >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>>http://www.swynk.com/sitesearch/search.asp >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>>http://www.swynk.com/sitesearch/search.asp >>>> > To >>>unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>> http://www.swynk.com/sitesearch/search.asp >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>> http://www.swynk.com/sitesearch/search.asp >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> >>>> _________________________________________________________________ >>>> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>> Archives: http://www.swynk.com/sitesearch/search.asp >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>>> _________________________________________________________________ >>>> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>> Archives: http://www.swynk.com/sitesearch/search.asp >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>> >>>_________________________________________________________________ >>>List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>Archives: http://www.swynk.com/sitesearch/search.asp >>>To unsubscribe: mailto:[EMAIL PROTECTED] >>>Exchange List admin: [EMAIL PROTECTED] >>> _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]