RE: Exchange <--> Outlook Monitoring

["Jeff Gercken" <JeffG () kizan com>]

If you have the authority to intercept their mail you can just connect
to the exchange server and mount their mailbox.  If you are not
officially sanctioned/authorized you'll probably be violating your
company's security policy.  Your actions need to be legit as well as
theirs otherwise if you do find something as much attention will be on
you as on them.  Been there, done that, not going there again.

If you insist on working in the grey, you might try nabbing their
credentials by shoulder surfing, keylogging, etc.  This would probably
be easier than sniffing and decrypting the mapi traffic, or mitm.

-jeff

-----Original Message-----
From: Steve Gan [mailto:SGan () keysys com] 
Sent: Monday, January 31, 2005 8:52 PM
To: Doll, Josh; security-basics () securityfocus com
Subject: RE: Exchange <--> Outlook Monitoring

There are 2 solutions from GFI that will allow you to easily audit email
communications.  The solutions allows you to easily fulfill regulatory
requirements (such as the Sarbanes-Oxley Act) and provide users with
easy, centralized access to past email via a web-based search interface.

If the subcon uses your exchange server for email access, then you can
use the MailArchiver for Exchange product.

If you use a firewall that could redirect all SMTP traffic to a
designated SMTP gateway, then you might be able to use the Mail
Monitoring and/or Mail Archiving feature of MailEssentials for
Exchange/SMTP.

Hope this helps.

Steve Gan
KEYSYS INC
Phone: +63 (2) 920-8476 to 77
Fax: +63 (2) 920-8533
Mobile: +63 (917) 816-8476
Email: sgan () keysys com
Website: http://www.keysys.com/

-----Original Message-----
From: Doll, Josh [mailto:Doll () pbworld com] 
Sent: Friday, January 28, 2005 9:27 AM
To: security-basics () securityfocus com
Subject: Exchange <--> Outlook Monitoring

Is there any effective way of capturing exchange / outlook data from a
3rd
party machine?  We have a number of sub consultants with email access
from
our company, who's email needs to be monitored / archived for breech of
contract and sharing of company secrets.  Problem is, we don't maintain
our
exchange server here in this office, and the office that does is
unwilling
to cooperate in this matter (Read: upper management catfight).
Therefore we
need a way to ensure that what they send and receive is legit.  It is a
relatively small number of users
(~5) that are still on our LAN that need to be monitored, the rest have
been
moved to another subnet without company email. 

My understanding is that it is nowhere near as easy to capture these
emails
when it is an exchange environment vs.. the options available when using
POP
or others.

Any help, or nudges in the right direction would be helpful.

C. Josh Doll
Network Administrator - Houston
Parsons Brinckerhoff


-----------------------------------------------------------------
KEYSYS INC

This communication is confidential and intended only for the use
of the individual(s) to whom it is addressed.  The information
contained in it may be the subject of professional privilege or
protected from disclosure for other reasons.  If you are not the
intended addressee, please delete it, notify the sender, and do
not disclose or reproduce any part of it without specific
consent.

This mail was content checked for malicious code and viruses by
MailSecurity. MailSecurity provides email content checking,
exploit detection and anti-virus for Exchange. Spam, viruses,
dangerous attachments & offensive content are removed
automatically. Key features include:

. Multiple virus engines;
. Email content & attachment checking;
. Exploit shield - email intrusion detection & defence;
. Email threats engine - analyses & defuses HTML scripts, .exe
files & more.

In addition to MailSecurity, GFI also produces the FAXmaker fax
server & LANguard network security product ranges. For more
information on our products, please visit http://www.keysys.com.

This disclaimer was sent by Mail essentials for Exchange/SMTP 
-----------------------------------------------------------------