• The Forums are now open to new registrations, adverts are also being de-tuned.

E mail corruption / fraudulent use?

flango

flango

Hardcore MB Enthusiast
Joined
Jun 10, 2008
Messages
10,984
Location
Gods own country
Car
Mercedes SLK R171
I wonder if anybody can help with this one? Firstly we are running Outlook 2003 and Microsoft Exchange Server 2003.

I recently recieved a company e mail from a colleague in the Ukraine requesting some price information on various products, these prices then have to be authorised by the global pricing manager. I sent him the required information which he then forwarded on to the global price office manager for approval. (with me so far?)

Trouble is he forwarded the e mail from his own company address, but when it was received by the pricing manager it appeared as though it was sent directly from me (i.e it was me in the From field not him) now this would not have been a problem if he had not changed the prices I sent. I have challenged him over this and I know he has done something to make it appear as though the e mail was from me, but he now reckons he does not understand what I mean and says his English is not good enough to understand :mad:

This throws up some security issues in the organisation if you can make it look as though an e mail has come from a difffernt account other than your own.

Could anyone explain how this is possible.

Thanks for the help
 
In what format was the price list sent? If it was simple text within the email then that is easy to edit. I appreciate this is not a solution to your current problem, but what about resending the original price list in PDF format?
 
You can in some software change the Name etc. that the email appears to come from - servers don't usually (or at least did not) care about where the email comes from - just about where it is going to.

I tihnk this is more doable in programs such as outlook express. Certainly I can't see a why to do it in Outlook 2007 when it is linked to an exchange server, although if I set up an additional POP3 account, it might well be possible.

PDF are quite good for anything which is sensitive, where you do not wish to see the figures altered. There are quite a few packages out on the web now to create them which are free.
 
wemorgan said:
In what format was the price list sent? If it was simple text within the email then that is easy to edit. I appreciate this is not a solution to your current problem, but what about resending the original price list in PDF format?
Click to expand...

Done exactly that attached it as a PDF which is what I should have done in the first place, still need to know how he changed the account so it looked as though it has come from me though:mad:
 
Spoofed yr e-mail address?

Open his e-mail, and look at the e-mail header. Did id come from yours/the correct organisation.
If it has an ip address do a reverse DNS lookup.
 
Ted said:
Spoofed yr e-mail address?

Open his e-mail, and look at the e-mail header. Did id come from yours/the correct organisation.
If it has an ip address do a reverse DNS lookup.
Click to expand...

Yes it did come from mine and the correct organisation, no IP address just the internal address though
 
Just remembered, in exchange you can also send an e-mail 'on behalf of' (for secretarys etc). Needs admin rights on the exchange server iirc
 
Ted said:
Just remembered, in exchange you can also send an e-mail 'on behalf of' (for secretarys etc). Needs admin rights on the exchange server iirc
Click to expand...

I know thta one as the girl that works for me can send them on behalf of, but it says that on the mail, this appeared as a direct exchange between the 2 addresses with no 3rd party involvement
 
You need to get hold of the full email headers to see exactly what he's done. (It doesn't sound like you have the full headers.)

The easiest way would be for him to send it via some other mechanism than exchange (like his own POP address) but spoof the reply address. If this was done however, the headers would show it clearly.

I take it you have checked your mailbox permissions to make sure he can't genuinely access your mailbox and send mail using your ID. You could also get someone in IT to check AD to make sure he hasnt accidentally been assigned any special permissions that could allow this access.

Your password is also secure -yes?
 
Sp!ke said:
You need to get hold of the full email headers to see exactly what he's done. (It doesn't sound like you have the full headers.)

The easiest way would be for him to send it via some other mechanism than exchange (like his own POP address) but spoof the reply address. If this was done however, the headers would show it clearly.

I take it you have checked your mailbox permissions to make sure he can't genuinely access your mailbox and send mail using your ID. You could also get someone in IT to check AD to make sure he hasnt accidentally been assigned any special permissions that could allow this access.

Your password is also secure -yes?
Click to expand...

Yes on all counts I think, have also spoke to IT who are baffled, passwords, account profiles, permissions etc all look OK. Think you are right I don't have the full headers, thanks
 
E-mail spoofing is quite easy, but you have to want to do it...It does not happen by accident.

If the price list was in Word, Word actually keep a record of all changes made so you could dissassemble it to show what he has changed. Thus why you should always PDF documents when sending out. Saying that as he was internal why would you do that.

Have you spoken to him about it ?
 
Ian_C said:
E-mail spoofing is quite easy, but you have to want to do it...It does not happen by accident.

If the price list was in Word, Word actually keep a record of all changes made so you could dissassemble it to show what he has changed. Thus why you should always PDF documents when sending out. Saying that as he was internal why would you do that.

Have you spoken to him about it ?
Click to expand...

Yes see original post he now reckons his English is not good enough to understand what I mean, yet he can interpret engineering drawings and program PLC's :mad:
 
Get your IT guy to check the logs on the exchange server.
This should have a log, including mail headers.
 
its easy to set up the email to arrive to your recipient under a different name..... if you look at the email headers etc all will become clear though.
 
SilverSaloon said:
its easy to set up the email to arrive to your recipient under a different name..... if you look at the email headers etc all will become clear though.
Click to expand...

IT have the full headers and it looks like "spoofing" although this is new to me I must admit, will follow up tomorrow with them on the security issues it raises, but the supplying info in PDF will be my norm from now on thanks for all the help and guidance
 
get the full email header, copy, and paste into:
http://www.mxtoolbox.com/EmailHeaders.aspx

will give you detailed breakdown, rather than, what looks like a mess you have to decipher!

good little tool that... I do not own or am not advertising or am in no way affiliated with this website, its just a good website, I use it for most of my troubleshooting, SPAM lists etc. for external domains, for my own domains, you are also able to check if there any security loopholes in your system (and other systems, yes, but there is a disclaimer!)
 
to stop spoofed e-mails getting through your exchange server, you can turn on reverse DNS lookup from your server manager.
Might lose one or two legit e-mails though.
It will also cut down on spam that has got through your boundary filter
 
If someone has spoofed your address, there are legal issues as well.....
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)

Similar threads

N
Silly Billy (Monger)
Replies
18
Views
1K
ToeKnee
ToeKnee
AMGeed
Any IT security experts here?
Replies
14
Views
3K
fabes
fabes
MichaelMB
Is this as cloned? 190E. E871NOW
2 3
Replies
51
Views
2K
Smiley
S
E
Email Oddity
Replies
0
Views
695
E55BOF
E
J
CLS Shooting Brake steering rack fault
Replies
3
Views
395
johnjamesmarsh
J
Back
Top Bottom