Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Exchange <--> Outlook Monitoring

from [Presley, Steven] Network Security [Permanent Link]
Subject: Re: Exchange <--> Outlook Monitoring
Date: Fri, 28 Jan 2005 14:40:31 -0500 
Unfortunately Outlook--> Exchange does not use SMTP.  It uses MAPI
(RPC) which is not plaintext (its encrypted to some degree, depending
on how the client is setup).  Because the MAPI traffic is encrypted I
think your options on sniffing the traffic to figure out what they are
sending\receiving is not going to happen.  The proper solution is
getting management\HR to approval for journaling and get your Exchange
administrators to configure the database that they are on to journal
everything to a dedicated mailbox.  I realize that you stated that
management will not approve, but unfortunately your options are
limited if you do not manage the Exchange server and if management
won't help.  In fact, is there not significant risk to your job in
trying to pull something like this off without management\HR approval?
 Most companies would not look to kindly to some one doing this
without the proper approval.

Best regards,
Steven


On Fri, 28 Jan 2005 11:28:09 -0800, Eric McCarty <eric@piteduncan.com> wrote:

Since SMTP is plain text it can be pulled off the wire @ the gateway, if
your patient enough to use ethereal w/a filter you can pull all SMTP
from a certain IP. Or you can use a graphical IDS like the Etrust
product which isn't free but provides an easier and cleaner interface
for such things.

E.

-----Original Message-----
From: Doll, Josh [mailto:Doll@pbworld.com]
Sent: Friday, January 28, 2005 8:27 AM
To: security-basics@securityfocus.com
Subject: Exchange <--> Outlook Monitoring

Is there any effective way of capturing exchange / outlook data from a
3rd party machine?  We have a number of sub consultants with email
access from our company, who's email needs to be monitored / archived
for breech of contract and sharing of company secrets.  Problem is, we
don't maintain our exchange server here in this office, and the office
that does is unwilling to cooperate in this matter (Read: upper
management catfight).  Therefore we need a way to ensure that what they
send and receive is legit.  It is a relatively small number of users
(~5) that are still on our LAN that need to be monitored, the rest have
been moved to another subnet without company email.

My understanding is that it is nowhere near as easy to capture these
emails when it is an exchange environment vs.. the options available
when using POP or others.

Any help, or nudges in the right direction would be helpful.

C. Josh Doll
Network Administrator - Houston
Parsons Brinckerhoff
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  WASC-Articles: "The 80/20 Rule for Web Application Security", robert
Next by Date:  Magazine Digital Evidence - Edition 04 (Portuguese), Andrey
Previous by Thread:  RE: Exchange <--> Outlook Monitoring, Eric McCarty
Next by Thread:  RE: Exchange <--> Outlook Monitoring, Sarbjit Singh Gill
Indexes:  [Date] [Thread] [Top] [All Lists]