?
Solved

Shadow messages are sent to un-intended user

Posted on 2004-09-08
13
Medium Priority
?
231 Views
Last Modified: 2013-12-18
We have a situation in our office where a user is getting email not addressed to her.  I sent a message with a return receipt to another user, and I got two: one from the intended user, and one from the "spy".  The person receiving the non-intended email has access to the Lotus server in an administrative capacity.  Where do I start looking on the server/workstations(s) to find how this is being done?  Obviously I believe this to be intentional, but needs to get turned off.
0
Comment
Question by:luftmeister
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
13 Comments
 
LVL 24

Accepted Solution

by:
HemanthaKumar earned 672 total points
ID: 12006071
Check the mail db for any new mail agents.. probably that is trying to read/save the doc and might be causing the RR to be posted both from the user and signer of the agent ...

BTW, "SPY" will tell you the signer and look for specific user activity in the database

~Hemanth
0
 

Author Comment

by:luftmeister
ID: 12006199
Is there a specific mail agent that has the ability to intercept messages and send them to the spy?  I am unfamiliar with Lotus administration, how do I get to the mail DB?
0
 
LVL 14

Expert Comment

by:p_partha
ID: 12006230
PRobably ther eis a agent running in Mail.box which forwards the mail received from some 'User' to a 'SPY'. Check the mail.box for any scheduled agents

partha
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Assisted Solution

by:tanelorn
tanelorn earned 664 total points
ID: 12006540
Hi
if someone looks at a mail message from the mail.box queue, and the return reciept bit is flipped, the "sender" will get a reciept from the client (user.id) that is looking at the documents in the queue. in this case,  your "spy"

so, all the person needs to do for this to happen is to poke around the mail.box database and open up documents.  I would imagine that there wouldn't be anything sinister unless all of the mail messages had attatchments...  or, as the others have pointed out,  an agent that is redirecting...  the text of the messages are not visible, but the attatchments can be looked at...

Tanelorn

0
 
LVL 6

Expert Comment

by:tanelorn
ID: 12006579
Hi again,

One thing that would disqualify my theory for your situation is if the "spy" is actually getting the mail in his/her mailbox.  if they are actually getting the mail, (which you alluded to, but didn't come out and say...)  then something else is going on...  but in your text  your proof was the return reciept...

Tanelorn
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 12006969
luftmeister,
We can assume that somebody is intercepting or genuinely an agent is written in the template and distributed by developer.. or there might be a change in the mail memo where cc or bcc is added specifically to a spy address and you are not aware.

So what you can do is send a mail trace and see what is happening. Check the delivery options , delivery report parameter
0
 

Author Comment

by:luftmeister
ID: 12007061
Thanks to all - I will be investigating this within the next few hours - and posting results.  I now have a starting point for this investigation!
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 12007081
Good Luck
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 664 total points
ID: 12008288
If the spy is "malicious," then this is what is PROBABLY happening.  He is opening the recipient's mail file, looking for interesting messages, and copying them to another database (probably a dummy local mail file or his own mail file) to read them.  It is also possible, but nlikely, that some code (an agent somewhere) copies the documents from the recipient to another file for this spy to read.

Here's why I say this.  If you get a document with RR request, Notes sends the RR as you open the document, then removes the RR request.  Otherwise, you would send a second RR if you opened the message later,  a second time, and so on.

So, there are only three reasons why a single message would generate two return receipts:

1) The message was actually mailed to multiple mailboxes, so multiple copies existed.

2) The first RR was generated by someone who had read-only access to the message.  Notes was unable to remove the RR request, so a seocnd person opening the message sent a second RR.

3) There are two copies of the message, which did not synchronize the RR removal with each other


#1 is normal if there is a group distribution, but you say there isn't.

#2 is unlikely for an administrator -- an admin with read only access?

Some version of #3 is most likely.  How could that come about?

3a) If there are two replicas, which have not replicated the RR removal form the first message copy into the second.  This is possible, but unlikely to occur on a regular basis.

3b) A perons copies the document, as a complete document (not a forwarded document) into another database.  That's what I would guess happened here.  A forwarded message doe snot carry the orignalting RR request with it.

3c) An automated process is doing the same as (3b).  That could exist in the intended recipient mail file, or completely independent of it.  Hard to tell.  You can try matching up the user activity history to agent manager log reports and other logged usage patterns.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 12844999
Woudl be nice if we nknew the result anyway, maybe luftmeister is still listening?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question