Security Basics mailing list archives
Re: RE: Tracking down anonymous user
From: christopherkelley () hotmail com
Date: 2 Jan 2007 15:57:13 -0000
I think that everyone here is missing the fact that if this is an internal user in an exchange environment (unless you have a weird setup), the message should never reach the SMTP engine, so looking in the SMTP logs will be fruitless (provided it _is_ an internal user). The same goes for tying to view the message header information. Exchange handles internal email differently, especially in a single-server environment, so if there is a header, chances are it will be meaningless. Also, because it is a separate user account, looking in sent items/outboxes will also be a waste of time. So... The first thing that I would do is to change the password on this account and evaluate the need for its existence. If it is just a shared email address that is needed, that is possible to set up without having a domain user account (and exchange will log access to the inbox in case it happens again). Create the mailbox in exchange and give each person the necessary permissions to the inbox. The exchange server will wonderfully log by username all access to this mailbox, in the event that something like this happens again. If the account exists to share access to resources, consider giving the people access to those resources without having another account to blur the audit trail. As far as finding out who did it, I'm not really sure. The beauty of having individual accounts really shines here. Audit trails and individual accountability are key. But, you may want to look in the audit logs of your domain controllers for logons and logoffs about the time the message was sent. It's been a while since I have looked at Domain Controller Audit logs, but you may be able to see the workstation that the person was using to login, which may tell you who did it. Be very careful how you approach the next step, because if you don't cross your Ts and dot your Is, your legal recourse will be thrown away (I'm going to assume that you/your company will want to fire/punish this person). If you don't conduct your investigation properly, any evidence that you may collect may not be usable against this person. Depending on how far you and your company wish to take this, I'd recommend hiring a computer forensic specialist to conduct the investigation (that is, unless, of course, you have the necessary tools and skills on hand to do a proper job). Sorry for the long post. Hope this helps all.
Current thread:
- RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
- RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
- RE: Tracking down anonymous user Gressick, Michael (Jan 02)
- Re: Re: Re: Tracking down anonymous user christopherkelley (Jan 04)