Security Basics mailing list archives
Re: Exchange <--> Outlook Monitoring
From: Joe Hood <joe.hood () gmail com>
Date: Mon, 31 Jan 2005 14:51:08 -0500
What about blocking RPC and forcing POP/SMTP, then sniffing? On Fri, 28 Jan 2005 11:45:15 -0800, Eric McCarty <eric () piteduncan com> wrote:
Sorry I misunderstood, I thought we were talking about mail sent via the IMS, It didn't occur to me that confidential stuff would be passed within the company, especially not between outside consultants. -----Original Message----- From: Presley, Steven [mailto:evetsleep () gmail com] Sent: Friday, January 28, 2005 11:41 AM To: Eric McCarty Cc: Doll, Josh; security-basics () securityfocus com Subject: Re: Exchange <--> Outlook Monitoring Unfortunately Outlook--> Exchange does not use SMTP. It uses MAPI (RPC) which is not plaintext (its encrypted to some degree, depending on how the client is setup). Because the MAPI traffic is encrypted I think your options on sniffing the traffic to figure out what they are sending\receiving is not going to happen. The proper solution is getting management\HR to approval for journaling and get your Exchange administrators to configure the database that they are on to journal everything to a dedicated mailbox. I realize that you stated that management will not approve, but unfortunately your options are limited if you do not manage the Exchange server and if management won't help. In fact, is there not significant risk to your job in trying to pull something like this off without management\HR approval? Most companies would not look to kindly to some one doing this without the proper approval. Best regards, Steven On Fri, 28 Jan 2005 11:28:09 -0800, Eric McCarty <eric () piteduncan com> wrote:Since SMTP is plain text it can be pulled off the wire @ the gateway, if your patient enough to use ethereal w/a filter you can pull all SMTP from a certain IP. Or you can use a graphical IDS like the Etrustproduct which isn't free but provides an easier and cleaner interface for such things. E.-----Original Message----- From: Doll, Josh [mailto:Doll () pbworld com] Sent: Friday, January 28, 2005 8:27 AM To: security-basics () securityfocus com Subject: Exchange <--> Outlook Monitoring Is there any effective way of capturing exchange / outlook data from a3rd party machine? We have a number of sub consultants with email access from our company, who's email needs to be monitored / archived for breech of contract and sharing of company secrets. Problem is, wedon't maintain our exchange server here in this office, and the officethat does is unwilling to cooperate in this matter (Read: upper management catfight). Therefore we need a way to ensure that what they send and receive is legit. It is a relatively small number of users (~5) that are still on our LAN that need to be monitored, the rest have been moved to another subnet without company email. My understanding is that it is nowhere near as easy to capture these emails when it is an exchange environment vs.. the options available when using POP or others. Any help, or nudges in the right direction would be helpful. C. Josh Doll Network Administrator - Houston Parsons Brinckerhoff
Current thread:
- Exchange <--> Outlook Monitoring Doll, Josh (Jan 28)
- RE: Exchange <--> Outlook Monitoring Shawn Wall (Jan 31)
- <Possible follow-ups>
- RE: Exchange <--> Outlook Monitoring Eric McCarty (Jan 28)
- Re: Exchange <--> Outlook Monitoring Presley, Steven (Jan 31)
- RE: Exchange <--> Outlook Monitoring Sarbjit Singh Gill (Jan 31)
- Re: Exchange <--> Outlook Monitoring Steve (Jan 31)
- Some Few Doubts on IIS Vuln kaps lock (Jan 31)
- RE: Exchange <--> Outlook Monitoring Eric McCarty (Jan 31)
- Re: Exchange <--> Outlook Monitoring Joe Hood (Jan 31)