BE CAREFUL when intercepting mail!
As Jeff said, you need to be VERY careful in this area, the laws will be
different in different jurisdictions, and will almost certainly not be
supported by existing decisions.
In Australia, it is entirely possible(1) that the inspection(2) of e-mail
in-transit would constitute a "wire-tap", and without a court-order and
legislatively supported authority(3), this would then be a federal
telecommunications offense(4).
One interpretation of the Australian law would mean that any circuit level
inspection(5) not being used to ensure the continuity and operation of the
network may be covered by federal legislation, and thus may not be
controllable/overridden by corporate policy or contracts.
NOTES:
(1) This has not been tested in Australian courts as yet, and while there
"may be" room to haggle, the wording of the federal Telecommunications
Act's definition for "communication"(6) does appear cover e-mail.
(2) Inspection includes duplication, storage, redirection - basically any
sort of "tap" - there is specific exclusion for activities required to
ensure the continuing operation of the network/infrastructure.
(3) In Australia the only people who are *ALLOWED* to record/inspect a
communication are: The people involved in the communication (i.e. the
participants) and legally recognized law enforcement bodies. (and of course
the small group of exceptions....)
(4) Minimum jail terms, federal courts, less levels of appeal - all that
sort of stuff...
(5) If the communication does not leave the corporate environment, then it
*MAY NOT* be covered by federal law.
(6) A "communication" is how they defined a "call" or other session
traversing a network.
(Oh what an easy world we live in!)
Cheers and good luck,
Crispin Harris
________________________________________
From: "Jeff Gercken" <JeffG@kizan.com> [mailto:"Jeff Gercken"
<JeffG@kizan.com>]
Sent: Tuesday, 22 February 2005 3:21 AM
To: "Steve Gan" <SGan@keysys.com>; "Doll, Josh" <Doll@pbworld.com>;
<security-basics@securityfocus.com>
Subject: RE: Exchange <--> Outlook Monitoring
If you have the authority to intercept their mail you can just connect
to the exchange server and mount their mailbox. If you are not
officially sanctioned/authorized you'll probably be violating your
company's security policy. Your actions need to be legit as well as
theirs otherwise if you do find something as much attention will be on
you as on them. Been there, done that, not going there again.
If you insist on working in the grey, you might try nabbing their
credentials by shoulder surfing, keylogging, etc. This would probably
be easier than sniffing and decrypting the mapi traffic, or mitm.
-jeff
-----Original Message-----
From: Steve Gan [mailto:SGan@keysys.com]
Sent: Monday, January 31, 2005 8:52 PM
To: Doll, Josh; security-basics@securityfocus.com
Subject: RE: Exchange <--> Outlook Monitoring
There are 2 solutions from GFI that will allow you to easily audit email
communications. The solutions allows you to easily fulfill regulatory
requirements (such as the Sarbanes-Oxley Act) and provide users with
easy, centralized access to past email via a web-based search interface.
If the subcon uses your exchange server for email access, then you can
use the MailArchiver for Exchange product.
If you use a firewall that could redirect all SMTP traffic to a
designated SMTP gateway, then you might be able to use the Mail
Monitoring and/or Mail Archiving feature of MailEssentials for
Exchange/SMTP.
Hope this helps.
Steve Gan
KEYSYS INC
Phone: +63 (2) 920-8476 to 77
Fax: +63 (2) 920-8533
Mobile: +63 (917) 816-8476
Email: sgan@keysys.com
Website: http://www.keysys.com/
-----Original Message-----
From: Doll, Josh [mailto:Doll@pbworld.com]
Sent: Friday, January 28, 2005 9:27 AM
To: security-basics@securityfocus.com
Subject: Exchange <--> Outlook Monitoring
Is there any effective way of capturing exchange / outlook data from a
3rd
party machine? We have a number of sub consultants with email access
from
our company, who's email needs to be monitored / archived for breech of
contract and sharing of company secrets. Problem is, we don't maintain
our
exchange server here in this office, and the office that does is
unwilling
to cooperate in this matter (Read: upper management catfight).
Therefore we
need a way to ensure that what they send and receive is legit. It is a
relatively small number of users
(~5) that are still on our LAN that need to be monitored, the rest have
been
moved to another subnet without company email.
My understanding is that it is nowhere near as easy to capture these
emails
when it is an exchange environment vs.. the options available when using
POP
or others.
Any help, or nudges in the right direction would be helpful.
C. Josh Doll
Network Administrator - Houston
Parsons Brinckerhoff
-----------------------------------------------------------------
KEYSYS INC
This communication is confidential and intended only for the use
of the individual(s) to whom it is addressed. The information
contained in it may be the subject of professional privilege or
protected from disclosure for other reasons. If you are not the
intended addressee, please delete it, notify the sender, and do
not disclose or reproduce any part of it without specific
consent.
This mail was content checked for malicious code and viruses by
MailSecurity. MailSecurity provides email content checking,
exploit detection and anti-virus for Exchange. Spam, viruses,
dangerous attachments & offensive content are removed
automatically. Key features include:
. Multiple virus engines;
. Email content & attachment checking;
. Exploit shield - email intrusion detection & defence;
. Email threats engine - analyses & defuses HTML scripts, .exe
files & more.
In addition to MailSecurity, GFI also produces the FAXmaker fax
server & LANguard network security product ranges. For more
information on our products, please visit http://www.keysys.com.
This disclaimer was sent by Mail essentials for Exchange/SMTP
-----------------------------------------------------------------
******************************************************************************
- NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged
information. If you have received this email in error, please notify the
sender and delete it immediately.
Internet communications are not secure. You should scan this message and any
attachments for viruses. Under no circumstances do we accept liability for any
loss or damage which may result from your receipt of this message or any
attachments.
******************************************************************************
