Solved

someone reads my emails ?

Posted on 2002-04-11
15
211 Views
Last Modified: 2013-12-15
At my company we have RedHat7.x as server for web, email etc. I am concerned about the security of my email messages: do our administrator read our messages ? Suppose I have access for minutes to our server. Where should I look for scripts or signs that copies of email messages are saved?
What about the messages I read from a POP server outside of our company?
Tell me what would you do if you would want to spy their messages so I will know where to look for.
I am willing to select more winners for the answer, each for 200 points !
Thanks.
0
Comment
Question by:jorj
  • 5
  • 3
  • 2
  • +4
15 Comments
 
LVL 2

Author Comment

by:jorj
ID: 6933703
ah, not to forget; do not lock this question please. I will select the best answers.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6933962
There are several ways that email can be monitored. And if those methods are properly configured you'd have to have root access to the server and/or other systems to determine if they exist. Some of the ways to monitor email are:

Modify the sendmail sources to include a logging function in the check_compat() facility. The logs might be written into some local directory (that only root can read) or they might be written via syslog to another system. To detect if this was happening you'd need to be able to check to see if the sendmail executable was the "as delivered" version and if it wasn't you'd have to determine if it included a logging modification. Not a simple task.

Install a libmilter filter to log mail. Like the above method, the logs might be local or on some other system. If libmilter was in use you could probably find the task or the socket it uses if you had root privs.

If the mail system is built around sendmail it might be running in debug mode, which would log all transactions. Again the logs might or might not be on the sendmail server. Depending on how sendmail was started in debug mode  you might be able to determine if it's running in that mode. If it's started in debug mode via an rc.d script you'd be able to tell. On the other hand if it is being manually started you probably couldn't tell if it's running in debug mode.

And someone could just log in to the server and examine any mail messages in your inbox. There could be scripts in use or it could be purely an interactive process. Such a way of monitoring mail wouldn't necessarily see all of the mail, but they might get a pretty good sample.

If there's a firewall between the mail server and the Internet it might have a mail monitor application. And depending on the type of firewall it might log locally or to another server.

Email monitors can be constructed that watch the SMTP traffic on the network. Since these are passive applications and wouldn't necessarily be running on the mail server you'd have to examine all systems that were on the network in a location that could see all of the SMTP traffic between the mail server and the internet. And it's possible to install one that can see just your email traffic in a different part of the network. Oh yes, and these sorts of systems can be built to run in steath mode where you have to physically be able to find the system. They aren't visible on the network. Network sniffer monitors can log both SMTP traffic and/or POP/IMAP traffic. Which means that they could log your POP sessions.

Depending on how your mail system is constructed there might be an upstream relay server that all mail to/from your organization passes through that could be configured to log the mail.

All of this means that without the cooperation of your organization you aren't likely to be able to reliably determine if email is being monitored. Even with access to the mail server the only reliable information you could get would be if you found a logging function. A negative result could just mean that you aren't looking in the right place or don't have the privs to examine the right thing.

The simple solution is to just ask is email is being monitored. In many cases an organization that routinely monitors mail is willing to acknowledge that or actively publicizes the fact. Of course there are cases where they aren't willing to acknowledge their monitoring activities and the trully paranoid wouldn't trust a negative answer.

Also one should keep in mind that there's no legal basis fo your expectation that your email is a private communication when you are using your organization's facilities to read or send mail. In a legal sense anything that occurs while using those facilities is within the rights of the organization to control and/or monitor. Much like the organization's right to examine anything in your desk or files with or without your knowledge or consent.

If you are trully concerned about the privacy of email arrainge to use encryption for your messages and never save any of the messges on your local system or anywhere else on your organizations's network or servers. Of course, if active email monitoring is occuring using encrypted messages it could result in the loss of email privs. And the orgainzation would be within their rights to deny email privs for traffic that they couldn't monitor.

The best advice is to make sure that nothing you do via email while at work could be construed to be a violation of your organization's policies or would otherwise be embarassing if others had access to the email. What you do while not at work, within limits, is none of their business.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6934121
First off, I'd like to correct one minor misconception.  Unless your employer explicitly tells you they are monitoring, they are in violation of the US Wiretapping act if they do.  In most places, they do explicitly tell you they are monitoring, however.

Meanwhile, the one and only solution from the monitoree's standpoint is encryption.  See www.gpg.org.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6934503
I beg to differ. I don't have the court cases handy, but there have been a number of times that courts, at least in the US, have ruled that unannounced email monitoring by an employer or organization is legal. And as far as I know the wiretap laws don't apply to traffic on a public carrier like the Internet or cell phone transmissions. That's considered a broadcast mechanism and as such is excluded from protection under the current wiretap laws. I'll agree that an organization should make it a part of their published policy concerning acceptable use of email and that they reserve the right to examine email, files, etc., simply because that eliminates any uncertainty and provides a clear path for the organization to take if necessary.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6934656
This is based on advice I got last week from an Assistant US Attorney, so it should be valid.

According to him, the exceptions for wiretapping in these instances are:
1.  You can show that the employees had no expectation of privacy (banners, employment contract, etc.)
2.  You can show that you were doing the monitoring to protect your network from attack, tune the performance of your network, etc.
3.  You have an appropriate sopeona from the US DoJ or State government entity.

Almost all companies now have policies that say that computer systems exist for the benefit of the company and that the company reserves the right to monitor activities, so that satisfies #1.

You're also probably covered under #2 if you're keeping only header information and byte counts, since that's needed for performance tuning.

You should also be covered under #2 if you capture message text with something like an IDS.

But, I think it would be hard to argue that you're covered under #2 if the sys-admin browses people's email on the mail server.

On the other hand, there are very few court cases so your actual mileage may vary.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 6934758
Yeah, I've heard that same opinion from similar sources, and I've also heard the opinion that the wiretap laws don't apply from equally knowledgable sources. And that's what they are, opinions based on an individual's interpretation on the law. As you pointed out what really matters is how the courts interpret the law and all of the cases that I know of support the view that the monitoring doesn't violate the law.

But we're digressing from this question. If you'd like to continue the discussion off-line contact me at jim@entrophy-free.net.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6934953
Reading the mail(box) by someone on the mail server can be done by:

- see jlevies 1'st comment ;-)
- configure the MUA to make a copy of each/specific mail (this is different to jlevie's check_compat() patch, 'cause it's a configurable MUA facility)
- start a sniffer on SMTP, POP IMAP port (this can be done on any host inbetween the mail sender and the the receiver)
-simply reading the mailbox itself

Of corse, most actions need root (administrator) privileges.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Expert Comment

by:Dreamn3d
ID: 6934957
If I remember correctly, there was a case a few years ago about employees getting fired for talking about their boss via email.  Email that he happened to be monitoring.  Seems to me, if you are at work, you have no expectation of privacy.  Just like if you are walking on the street, you really can't expect that your picture won't be taken; and you pretty much have no recourse if someone does take your picture.  Anyway, seems to me jlevie gave you the best info in regards to "catching" your sysadmin monitoring email.
0
 
LVL 2

Author Comment

by:jorj
ID: 6936234
What a great help are you guys. I am very content about the answers I received. There is no doubt that jlevie won his points. I let the thread open to select another winner(s) too, and for jlevie I will post an empty question to reward him.
Thanks
0
 
LVL 2

Author Comment

by:jorj
ID: 6936239
0
 

Expert Comment

by:tallat
ID: 6953916
well first of all administrator have rights to check the mail box of any body and make the another copy on mail server but if administrator gonna check the mail in mail box than your mails ll be discard due to open them well if u want to check the mails of any body than u have to go for mail folder now where is mail folder exsit your mail folder is exsit in /export/home actually your own directory is your mail folder where all your mail ll be safe so if u want to check your mails than go to your mail folder and check the mails for any one if u have administrative rights your pop mail folder is the folder of your name second if u want to delete the mails or check the mails only in server than u ll go for /var/mail folder where all the mails routed from the server to outside and get it for inside o.k
0
 
LVL 2

Author Comment

by:jorj
ID: 6958278
tallat: didn't I asked you not to lock this question ? Your answer brought nothing new for me. Sorry. I expect better answers like others had. Thank you anyway.
0
 
LVL 1

Expert Comment

by:Dreamn3d
ID: 6958325
Was I on a "Seems to me" kick that day or what?


:)

Jess
0
 
LVL 2

Author Comment

by:jorj
ID: 6960877
no, no kick here (maybe tallat a little) :)
I decide in few days who else to get these points.
Jorj
0
 
LVL 3

Expert Comment

by:hnminh
ID: 6974438
as an administrator, ie have full control on the whole computer system, there would be hundreds way to read someone's email on that network. Some email server software even provide "catch-all" feature which allow company's managers to have copy of all email traffic. I think the first thing you should know is that if there is a company policy allow your network admin to do this. Overall, using a POP3 service over secure (encrypted) connection will help to harderning this spying job.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now