I seem to recall that the password change requires the current password to be entered before changing. Makes your suggestion a little hard to implement.
Personally, I would have taken a screenshot of the desktop, as is. Set the screenshot as the wallpaper, hide the taskbar, and move all icons off the desktop. Then set up a web cam. Not that I've ever done that, mind you, but it just came to mind. Roger ------------------------------------------------------ Roger D. Seielstad - MCSE MCT Senior Systems Administrator Peregrine Systems Atlanta, GA http://www.peregrine.com > -----Original Message----- > From: Monteleone-Haught Matt - Millville > [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 4:36 PM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Said prankster should have in addition to sending the message > [1] changed > his password to "Don'tLeaveYourWorkstationUnlockedFool" and > then locked the > workstation. > > Matthew > [1] I don't advocate what said prankster did [2] > [2] although I did get a good chuckle out of it [3] > [3] considering I had a rotten day because of a clueless VP.[4] > [4] I don't know Sherry [5] but I think your supposed to say Hi, so Hi > Sherry > [5] Not that I've had the opportunity or wouldn't welcome the > opportunity. > > > >>>-----Original Message----- > >>>From: Chris Scharff [mailto:[EMAIL PROTECTED]] > >>>Sent: Friday, October 19, 2001 3:57 PM > >>>To: Exchange Discussions > >>>Subject: RE: Investigating a Forged Message > >>> > >>> > >>>So, the only head which really needs to on a pike is that of > >>>one Mr. McDonald? > >>> > >>>Chris > >>>-- > >>>Chris Scharff > >>>Senior Sales Engineer > >>>MessageOne > >>>If you can't measure, you can't manage! > >>> > >>> > >>>> -----Original Message----- > >>>> From: Tim Ault [mailto:[EMAIL PROTECTED]] > >>>> Sent: Friday, October 19, 2001 2:58 PM > >>>> To: Exchange Discussions > >>>> Subject: RE: Investigating a Forged Message > >>>> > >>>> > >>>> ha.. actually I just learned he 'was' asked that question.. > >>>> > >>>> Turns out, ol' McDonald was away from his desk from 9 till > >>>> 10am and left his box accessible. All indications are that > >>>> the message was sent from the client on his desk. The message > >>>> was found in the Sent Items of his mailbox. There appears to > >>>> have been no logon recorded in Admin during that hour > >>>> (implying his mailbox was not opened from another PC), and > >>>> there were no suspicious 1016's (implying the Admin was not > >>>> in on it). The message was of blue Arial font (implying OWA > >>>> was not used to send it, and his password is secure), and > >>>> there was no access recorded by the box acting as the SMTP > >>>> server (implying O.E. was not used to send it, and his creds > >>>> are secure). Oh.. and someone saw somebody at his desk around > >>>> the time (implying.. oh > >>>> hell..) > >>>> > >>>> so they figured it out. > >>>> this was not quite the challenge I thought it'd be. > >>>> > >>>> Tim. > >>>> > >>>> -----Original Message----- > >>>> From: Tom Meunier [mailto:[EMAIL PROTECTED]] > >>>> Sent: Friday, October 19, 2001 12:38 PM > >>>> To: Exchange Discussions > >>>> Subject: RE: Investigating a Forged Message > >>>> > >>>> > >>>> Ask McDonald, "Where exactly were you at 9:19AM this morning, > >>>> and for how long before that, and who knew?" > >>>> > >>>> i.e. was he in the washroom with his $250 Italian leathers > >>>> poking out underneath the stall, making noises that indicated > >>>> extreme abdominal discomfort... :) > >>>> > >>>> > >>>> > -----Original Message----- > >>>> > From: Tim Ault [mailto:[EMAIL PROTECTED]] > >>>> > Posted At: Friday, October 19, 2001 11:13 AM > >>>> > Posted To: MSExchange Mailing List > >>>> > Conversation: Investigating a Forged Message > >>>> > Subject: RE: Investigating a Forged Message > >>>> > > >>>> > > >>>> > Thanks. > >>>> > > >>>> > I believe item #1 (of my post) is most probable.. hell, > >>>I must leave > >>>> > OL2k open and unattended on my PC a dozen times every day for > >>>> minutes at a > >>>> > stretch. > >>>> > > >>>> > However, this takes balls. Considering the length and > articulate > >>>> > phrasing of the message, it seems the person would > have spent an > >>>> > inordinate amount of > >>>> > time at McDonald's desk. Certainly someone should have seen > >>>> > somebody there. > >>>> > > >>>> > I have recommended they check the EV on the server which > >>>McDonald's > >>>> > mailbox resides for EV 1016's.. just incase the Admin > >>>was in on it. > >>>> > > >>>> > Tim. > >>>> > > >>>> > > >>>> > -----Original Message----- > >>>> > From: Wright, Steven [mailto:[EMAIL PROTECTED]] > >>>> > Sent: Friday, October 19, 2001 11:47 AM > >>>> > To: Exchange Discussions > >>>> > Subject: RE: Investigating a Forged Message > >>>> > > >>>> > > >>>> > It appears that it was send via Exchange since there are no > >>>> internet > >>>> > addresses in the TO: FROM: fields. Also, if you check the > >>>> headers and > >>>> > there is nothing there, then you have the culprit in-house > >>>> and logging > >>>> > on legitimately via the user's account. The original > >>>suggestions > >>>> > below are probably what occurred. > >>>> > > >>>> > How accessible is the VP's computer? May be someone > took a quick > >>>> > opportunity at an unattended computer. If they were very > >>>> clever, they > >>>> > might have set the message to delay a day or so before > delivery. > >>>> > > >>>> > Hope everyone at the company took it seriously and > went home ;-) > >>>> > > >>>> > Steve > >>>> > > >>>> > -----Original Message----- > >>>> > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > >>>> > Sent: Friday, October 19, 2001 11:39 AM > >>>> > To: Exchange Discussions > >>>> > Subject: RE: Investigating a Forged Message > >>>> > > >>>> > > >>>> > Headers, Let us see the headers. > >>>> > > >>>> > -----Original Message----- > >>>> > From: [EMAIL PROTECTED] > >>>> > [mailto:[EMAIL PROTECTED]] On Behalf > Of Tim Ault > >>>> > Sent: Friday, October 19, 2001 8:33 AM > >>>> > To: Exchange Discussions > >>>> > Subject: Investigating a Forged Message > >>>> > > >>>> > > >>>> > Here's a little something some of you may enjoy this fine > >>>> Friday.. put > >>>> > on your investigator hats.. > >>>> > > >>>> > My wife forwarded this message to me: > >>>> > > >>>> > > From: McDonald, Arthur K. > >>>> > > Sent: Friday, October 19, 2001 9:19 AM > >>>> > > To: EPDS Contractors; EPDS - EPI Data Systems > >>>> > > Subject: Much to be grateful for... > >>>> > > > >>>> > > All of us in this division have much to be grateful for and > >>>> > for that > >>>> > > reason, I would like to encourage each of you to go > >>>home at noon > >>>> > > today. You may use my annual leave since I have far more > >>>> > than I will > >>>> > > ever use. Go home, be with your families, talk with your > >>>> neighbors, > >>>> > > love life and be grateful for all we have in this > >>>great nation of > >>>> > > ours. Then come back on Monday refreshed and ready to > >>>> take on the > >>>> > > world! > >>>> > > >>>> > ahem.. *chortle* ..well, in any event, "Arthur", VP > >>>(Very Pissed), > >>>> > wants a head on a pike. I will offer to him (via my woman) the > >>>> > following likely prospects: > >>>> > > >>>> > 1) The culprit got direct access to OL2k on the desktop; > >>>> > 2) The culprit knew Arthur's username & password; > >>>> > 3) A confederate Exchange Admin granted "User" or "Send as" > >>>> permission > >>>> > to culprit > >>>> > 4) Culprit spoofed the message from an SMTP srvr, or > >>>used a similar > >>>> > serve from the web. > >>>> > > >>>> > Feel free to presume the obvious; and I can pass along a > >>>> few details > >>>> > that have be provide me. Care to contribute? > >>>> > > >>>> > Tim. > >>>> > > >>>> > > _________________________________________________________________ > >>>> > List posting FAQ: > >>>http://www.swinc.com/resource/exch_faq.htm > >>>> > Archives: > >>>http://www.swynk.com/sitesearch/search.asp > >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] > >>>> > Exchange List admin: [EMAIL PROTECTED] > >>>> > > >>>> > > >>>> > > _________________________________________________________________ > >>>> > List posting FAQ: > >>>http://www.swinc.com/resource/exch_faq.htm > >>>> > Archives: > >>>http://www.swynk.com/sitesearch/search.asp > >>>> > To > >>>unsubscribe: mailto:[EMAIL PROTECTED] > >>>> > Exchange List admin: [EMAIL PROTECTED] > >>>> > > >>>> > > _________________________________________________________________ > >>>> > List posting FAQ: > >>>http://www.swinc.com/resource/exch_faq.htm > >>>> > Archives: > >>> http://www.swynk.com/sitesearch/search.asp > >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] > >>>> > Exchange List admin: [EMAIL PROTECTED] > >>>> > > >>>> > > _________________________________________________________________ > >>>> > List posting FAQ: > >>>http://www.swinc.com/resource/exch_faq.htm > >>>> > Archives: > >>> http://www.swynk.com/sitesearch/search.asp > >>>> > To unsubscribe: mailto:[EMAIL PROTECTED] > >>>> > Exchange List admin: [EMAIL PROTECTED] > >>>> > > >>>> > >>>> _________________________________________________________________ > >>>> List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > >>>> Archives: > http://www.swynk.com/sitesearch/search.asp > >>>> To unsubscribe: mailto:[EMAIL PROTECTED] > >>>> Exchange List admin: [EMAIL PROTECTED] > >>>> > >>>> _________________________________________________________________ > >>>> List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > >>>> Archives: > http://www.swynk.com/sitesearch/search.asp > >>>> To unsubscribe: mailto:[EMAIL PROTECTED] > >>>> Exchange List admin: [EMAIL PROTECTED] > >>>> > >>> > >>>_________________________________________________________________ > >>>List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > >>>Archives: http://www.swynk.com/sitesearch/search.asp > >>>To unsubscribe: mailto:[EMAIL PROTECTED] > >>>Exchange List admin: [EMAIL PROTECTED] > >>> > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]