RE: Exchange <--> Outlook Monitoring

[Crispin.Harris () didata com au]

BE CAREFUL when intercepting mail!



As Jeff said, you need to be VERY careful in this area, the laws will be
different in different jurisdictions, and will almost certainly not be
supported by existing decisions.



In Australia, it is entirely possible(1) that the inspection(2) of e-mail
in-transit would constitute a "wire-tap", and without a court-order and
legislatively supported authority(3), this would then be a federal
telecommunications offense(4).



One interpretation of the Australian law would mean that any circuit level
inspection(5) not being used to ensure the continuity and operation of the
network may be covered by federal legislation, and thus may not be
controllable/overridden by corporate policy or contracts.



NOTES:

(1) This has not been tested in Australian courts as yet, and while there
"may be" room to haggle, the wording of the federal Telecommunications
Act's definition for "communication"(6) does appear cover e-mail.

(2) Inspection includes duplication, storage, redirection - basically any
sort of "tap" - there is specific exclusion for activities required to
ensure the continuing operation of the network/infrastructure.

(3) In Australia the only people who are *ALLOWED* to record/inspect a
communication are: The people involved in the communication (i.e. the
participants) and legally recognized law enforcement bodies. (and of course
the small group of exceptions....)

(4) Minimum jail terms, federal courts, less levels of appeal - all that
sort of stuff...

(5) If the communication does not leave the corporate environment, then it
*MAY NOT* be covered by federal law.

(6) A "communication" is how they defined a "call" or other session
traversing a network.



(Oh what an easy world we live in!)



Cheers and good luck,

      Crispin Harris



________________________________________

From: "Jeff Gercken" <JeffG () kizan com> [mailto:"Jeff Gercken"
<JeffG () kizan com>]

Sent: Tuesday, 22 February 2005 3:21 AM

To: "Steve Gan" <SGan () keysys com>; "Doll, Josh" <Doll () pbworld com>;
<security-basics () securityfocus com>

Subject: RE: Exchange <--> Outlook Monitoring



If you have the authority to intercept their mail you can just connect

to the exchange server and mount their mailbox. If you are not

officially sanctioned/authorized you'll probably be violating your

company's security policy. Your actions need to be legit as well as

theirs otherwise if you do find something as much attention will be on

you as on them. Been there, done that, not going there again.



If you insist on working in the grey, you might try nabbing their

credentials by shoulder surfing, keylogging, etc. This would probably

be easier than sniffing and decrypting the mapi traffic, or mitm.



-jeff



-----Original Message-----

From: Steve Gan [mailto:SGan () keysys com]

Sent: Monday, January 31, 2005 8:52 PM

To: Doll, Josh; security-basics () securityfocus com

Subject: RE: Exchange <--> Outlook Monitoring



There are 2 solutions from GFI that will allow you to easily audit email

communications. The solutions allows you to easily fulfill regulatory

requirements (such as the Sarbanes-Oxley Act) and provide users with

easy, centralized access to past email via a web-based search interface.



If the subcon uses your exchange server for email access, then you can

use the MailArchiver for Exchange product.



If you use a firewall that could redirect all SMTP traffic to a

designated SMTP gateway, then you might be able to use the Mail

Monitoring and/or Mail Archiving feature of MailEssentials for

Exchange/SMTP.



Hope this helps.



Steve Gan

KEYSYS INC

Phone: +63 (2) 920-8476 to 77

Fax: +63 (2) 920-8533

Mobile: +63 (917) 816-8476

Email: sgan () keysys com

Website: http://www.keysys.com/



-----Original Message-----

From: Doll, Josh [mailto:Doll () pbworld com]

Sent: Friday, January 28, 2005 9:27 AM

To: security-basics () securityfocus com

Subject: Exchange <--> Outlook Monitoring



Is there any effective way of capturing exchange / outlook data from a

3rd

party machine? We have a number of sub consultants with email access

from

our company, who's email needs to be monitored / archived for breech of

contract and sharing of company secrets. Problem is, we don't maintain

our

exchange server here in this office, and the office that does is

unwilling

to cooperate in this matter (Read: upper management catfight).

Therefore we

need a way to ensure that what they send and receive is legit. It is a

relatively small number of users

(~5) that are still on our LAN that need to be monitored, the rest have

been

moved to another subnet without company email.



My understanding is that it is nowhere near as easy to capture these

emails

when it is an exchange environment vs.. the options available when using

POP

or others.



Any help, or nudges in the right direction would be helpful.



C. Josh Doll

Network Administrator - Houston

Parsons Brinckerhoff





-----------------------------------------------------------------

KEYSYS INC



This communication is confidential and intended only for the use

of the individual(s) to whom it is addressed. The information

contained in it may be the subject of professional privilege or

protected from disclosure for other reasons. If you are not the

intended addressee, please delete it, notify the sender, and do

not disclose or reproduce any part of it without specific

consent.



This mail was content checked for malicious code and viruses by

MailSecurity. MailSecurity provides email content checking,

exploit detection and anti-virus for Exchange. Spam, viruses,

dangerous attachments & offensive content are removed

automatically. Key features include:



. Multiple virus engines;

. Email content & attachment checking;

. Exploit shield - email intrusion detection & defence;

. Email threats engine - analyses & defuses HTML scripts, .exe

files & more.



In addition to MailSecurity, GFI also produces the FAXmaker fax

server & LANguard network security product ranges. For more

information on our products, please visit http://www.keysys.com.



This disclaimer was sent by Mail essentials for Exchange/SMTP

-----------------------------------------------------------------






******************************************************************************
 - NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged information.  If you have received this 
email in error, please notify the sender and delete it immediately.

Internet communications are not secure. You should scan this message and any attachments for viruses.  Under no 
circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any 
attachments.
******************************************************************************