Re: [PEN-TEST] eMail auditing problem

[DA Smith <deb () SANDSTORM NET>]

Exactly.  Documentation is *everything* in this kind of scenario.

At my last job, where I occasionally worked with the Security unit of an
ISP, we had to document *everything* - Log files, Email complaints and Spam,
Trace Routes, etc. Our Manager would take this documentation to court with
him in support of (or against) our customers when the time came.

Once you've documented everything,  I suggest contacting your upstream ISP.
Document what they say and do too :)  .  If they are useless after several
attempts, go around them and contact their Upstream ISP  If you end up doing
that though, the Upstream will have to bring in your ISP who is  their legal
customer.  However, you've made the contact and can document this as well
and may even get a ticket number from them to give to your ISP.

The really good ISP will work with you as much as they legally can.  They
may help contact the ISP of the Hacking source if outside their domain to
deal with this.

-Deb


----- Original Message -----
From: Mathew Bevan <listhandler () NTLWORLD COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Wednesday, September 13, 2000 4:31 PM
Subject: Re: [PEN-TEST] eMail auditing problem


> Note,
>
> If you reinstall ANYTHING be sure that you have forensically frozen the
> scene. Make backups of everything, generally if you just go ahead and
> reinstall your prosecution would fail.
>
> > - the mail server is hacked => reinstall it, try to prosecute the hacker
>
> > - the boss box is compromised (BO2K), and all his keystrokes are logged
> > - surely some others ...
>
> Unlikely but there are some nifty devices which clip between the keyboard
> and computer. Great fun in physical tests I assure you.. 8-)
>
> Mathew Bevan