Yea! When I worked in KC, I worked in this part of the company, there were appox 100 folk. If you left your WS unlocked, it was guaranteed that there would be a message sent to the whole group DL that you were a "packer", you were pregnant, you got someone else pregnant, you were coming out, or some other completely wild email.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darcy Adams Sent: Friday, October 19, 2001 2:18 PM To: Exchange Discussions Subject: RE: Investigating a Forged Message In our office, if your workstation is found unlocked the most likely penalty is the note sent from your mailbox inviting everyone to a mocha (if in the morning) or a beer (if in the evening) at your expense. Ah, yeah - along with your screensaver being changed to display something like "Luser left his workstation unlocked, again". . . even our VP isn't immune to that one. Darcy -----Original Message----- From: Monteleone-Haught Matt - Millville [mailto:[EMAIL PROTECTED]] Sent: Friday, October 19, 2001 1:36 PM To: Exchange Discussions Subject: RE: Investigating a Forged Message Said prankster should have in addition to sending the message [1] changed his password to "Don'tLeaveYourWorkstationUnlockedFool" and then locked the workstation. Matthew [1] I don't advocate what said prankster did [2] [2] although I did get a good chuckle out of it [3] [3] considering I had a rotten day because of a clueless VP.[4] [4] I don't know Sherry [5] but I think your supposed to say Hi, so Hi Sherry [5] Not that I've had the opportunity or wouldn't welcome the opportunity. >>>-----Original Message----- >>>From: Chris Scharff [mailto:[EMAIL PROTECTED]] >>>Sent: Friday, October 19, 2001 3:57 PM >>>To: Exchange Discussions >>>Subject: RE: Investigating a Forged Message >>> >>> >>>So, the only head which really needs to on a pike is that of >>>one Mr. McDonald? >>> >>>Chris >>>-- >>>Chris Scharff >>>Senior Sales Engineer >>>MessageOne >>>If you can't measure, you can't manage! >>> >>> >>>> -----Original Message----- >>>> From: Tim Ault [mailto:[EMAIL PROTECTED]] >>>> Sent: Friday, October 19, 2001 2:58 PM >>>> To: Exchange Discussions >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> ha.. actually I just learned he 'was' asked that question.. >>>> >>>> Turns out, ol' McDonald was away from his desk from 9 till 10am and >>>> left his box accessible. All indications are that the message was >>>> sent from the client on his desk. The message was found in the Sent >>>> Items of his mailbox. There appears to have been no logon recorded >>>> in Admin during that hour (implying his mailbox was not opened from >>>> another PC), and there were no suspicious 1016's (implying the >>>> Admin was not in on it). The message was of blue Arial font >>>> (implying OWA was not used to send it, and his password is secure), >>>> and there was no access recorded by the box acting as the SMTP >>>> server (implying O.E. was not used to send it, and his creds >>>> are secure). Oh.. and someone saw somebody at his desk around >>>> the time (implying.. oh >>>> hell..) >>>> >>>> so they figured it out. >>>> this was not quite the challenge I thought it'd be. >>>> >>>> Tim. >>>> >>>> -----Original Message----- >>>> From: Tom Meunier [mailto:[EMAIL PROTECTED]] >>>> Sent: Friday, October 19, 2001 12:38 PM >>>> To: Exchange Discussions >>>> Subject: RE: Investigating a Forged Message >>>> >>>> >>>> Ask McDonald, "Where exactly were you at 9:19AM this morning, and >>>> for how long before that, and who knew?" >>>> >>>> i.e. was he in the washroom with his $250 Italian leathers poking >>>> out underneath the stall, making noises that indicated extreme >>>> abdominal discomfort... :) >>>> >>>> >>>> > -----Original Message----- >>>> > From: Tim Ault [mailto:[EMAIL PROTECTED]] >>>> > Posted At: Friday, October 19, 2001 11:13 AM >>>> > Posted To: MSExchange Mailing List >>>> > Conversation: Investigating a Forged Message >>>> > Subject: RE: Investigating a Forged Message >>>> > >>>> > >>>> > Thanks. >>>> > >>>> > I believe item #1 (of my post) is most probable.. hell, >>>I must leave >>>> > OL2k open and unattended on my PC a dozen times every day for >>>> minutes at a >>>> > stretch. >>>> > >>>> > However, this takes balls. Considering the length and articulate >>>> > phrasing of the message, it seems the person would have spent an >>>> > inordinate amount of >>>> > time at McDonald's desk. Certainly someone should have seen >>>> > somebody there. >>>> > >>>> > I have recommended they check the EV on the server which >>>McDonald's >>>> > mailbox resides for EV 1016's.. just incase the Admin >>>was in on it. >>>> > >>>> > Tim. >>>> > >>>> > >>>> > -----Original Message----- >>>> > From: Wright, Steven [mailto:[EMAIL PROTECTED]] >>>> > Sent: Friday, October 19, 2001 11:47 AM >>>> > To: Exchange Discussions >>>> > Subject: RE: Investigating a Forged Message >>>> > >>>> > >>>> > It appears that it was send via Exchange since there are no >>>> internet >>>> > addresses in the TO: FROM: fields. Also, if you check the >>>> headers and >>>> > there is nothing there, then you have the culprit in-house >>>> and logging >>>> > on legitimately via the user's account. The original >>>suggestions >>>> > below are probably what occurred. >>>> > >>>> > How accessible is the VP's computer? May be someone took a quick >>>> > opportunity at an unattended computer. If they were very >>>> clever, they >>>> > might have set the message to delay a day or so before delivery. >>>> > >>>> > Hope everyone at the company took it seriously and went home ;-) >>>> > >>>> > Steve >>>> > >>>> > -----Original Message----- >>>> > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] >>>> > Sent: Friday, October 19, 2001 11:39 AM >>>> > To: Exchange Discussions >>>> > Subject: RE: Investigating a Forged Message >>>> > >>>> > >>>> > Headers, Let us see the headers. >>>> > >>>> > -----Original Message----- >>>> > From: [EMAIL PROTECTED] >>>> > [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault >>>> > Sent: Friday, October 19, 2001 8:33 AM >>>> > To: Exchange Discussions >>>> > Subject: Investigating a Forged Message >>>> > >>>> > >>>> > Here's a little something some of you may enjoy this fine >>>> Friday.. put >>>> > on your investigator hats.. >>>> > >>>> > My wife forwarded this message to me: >>>> > >>>> > > From: McDonald, Arthur K. >>>> > > Sent: Friday, October 19, 2001 9:19 AM >>>> > > To: EPDS Contractors; EPDS - EPI Data Systems >>>> > > Subject: Much to be grateful for... >>>> > > >>>> > > All of us in this division have much to be grateful for and >>>> > for that >>>> > > reason, I would like to encourage each of you to go >>>home at noon >>>> > > today. You may use my annual leave since I have far more >>>> > than I will >>>> > > ever use. Go home, be with your families, talk with your >>>> neighbors, >>>> > > love life and be grateful for all we have in this >>>great nation of >>>> > > ours. Then come back on Monday refreshed and ready to >>>> take on the >>>> > > world! >>>> > >>>> > ahem.. *chortle* ..well, in any event, "Arthur", VP >>>(Very Pissed), >>>> > wants a head on a pike. I will offer to him (via my woman) the >>>> > following likely prospects: >>>> > >>>> > 1) The culprit got direct access to OL2k on the desktop; >>>> > 2) The culprit knew Arthur's username & password; >>>> > 3) A confederate Exchange Admin granted "User" or "Send as" >>>> permission >>>> > to culprit >>>> > 4) Culprit spoofed the message from an SMTP srvr, or >>>used a similar >>>> > serve from the web. >>>> > >>>> > Feel free to presume the obvious; and I can pass along a >>>> few details >>>> > that have be provide me. Care to contribute? >>>> > >>>> > Tim. >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>>http://www.swynk.com/sitesearch/search.asp >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>>http://www.swynk.com/sitesearch/search.asp >>>> > To >>>unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>> http://www.swynk.com/sitesearch/search.asp >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> > _________________________________________________________________ >>>> > List posting FAQ: >>>http://www.swinc.com/resource/exch_faq.htm >>>> > Archives: >>> http://www.swynk.com/sitesearch/search.asp >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] >>>> > Exchange List admin: [EMAIL PROTECTED] >>>> > >>>> >>>> _________________________________________________________________ >>>> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>> Archives: http://www.swynk.com/sitesearch/search.asp >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>>> _________________________________________________________________ >>>> List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>> Archives: http://www.swynk.com/sitesearch/search.asp >>>> To unsubscribe: mailto:[EMAIL PROTECTED] >>>> Exchange List admin: [EMAIL PROTECTED] >>>> >>> >>>_________________________________________________________________ >>>List posting FAQ: http://www.swinc.com/resource/exch_faq.htm >>>Archives: http://www.swynk.com/sitesearch/search.asp >>>To unsubscribe: mailto:[EMAIL PROTECTED] >>>Exchange List admin: [EMAIL PROTECTED] >>> _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
