Solved

A Blank message? How?

Posted on 2006-07-21
9
246 Views
Last Modified: 2010-04-08
Ok we have a situation where I work. Our HR person received an inappropriate picture from someone over here in Iraq. The person in question has his company laptop in his room. I checked his sent last message last night and the last one sent was at 9:43pm. Now looking at his delete folder there is a blank message in there, at least two. The strange thing is that the HR person sees the time stamp at 12:20am and that was the time stamp on this blank message.

I asked the person and he says he seen this message in his in box this mourning and seen it was blank and deleted it. Ok he had asked me to look at his Outlook this am before all the stink. This am he says he can’t see the from line on the view screen when Outlook first comes up but I figured that problem out, first time I have really seen it. Somehow in the reading pane the from option was at the far right dragging it back to the left brought it back into view.

My question has anyone every seen a completely blank message with just a time stamp? Is it possible to for someone to send him an email that could possibly resend a message without recording it.

This man is 60 years old and would not of ever sent a picture like that and also he is not very computer literate also note he had to fire an IT tech form over here about 2 months ago and this guy was a programmer.

Thanks
DK

0
Comment
Question by:daniels48
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 4

Accepted Solution

by:
Shaun84 earned 500 total points
ID: 17154458
It is possible to send emails that have nothing in to and from , i have seen it before , how it is done i am not sure. The ones i have seen tend to be blank but have a coloured background (yellow , red etc...) no text at all.
The persons whos machine it was sent from may have some virus infection or some security hole that allowed someone in,
i would first check for a virus infection and then check if any firewalls or anything has been disabled.

If you have an exchange server that runs the mail it may be worth checking this aswell
0
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 17154555
addressing the conspiracy theory first; lets not jump to conclusions point fingers (although the scenario is a possibility) and completely miss the boat that at worse there may possibly be a security breach here.  At best its an incident of unusual SPAMming.  

Just in case its a virus or trjoan, scan the laptop with any AV product.  See if the user has any attachments with code embedded into it.

Have the user change his password, just in case someone knows his password; and the password should be change to something that can't be discovered with a dictionary attack.

If you think that this programmer knows any passwords that can gain him entry to your system as an admin or even normal user, change it.  A matter of fact, if you didn't implement a password expiration scheme for the company, this may be a good opportunity to do it.

Can't think of anything else off the top of my head, but the general idea is you want to outline your threat scenario and take steps to stop any further incursions...  It is going to be backtracking the breach....

Regards,
0
 
LVL 97

Expert Comment

by:war1
ID: 17154582
Greetings, daniels48 !

This sounds like programmer fired has put a a trojan virus or rootkit in the computer.  You can reinstall the operating system or try to look for the trojan.  Check for virus and adware

Housecall Online Scan
http://housecall.antivirus.com
or
Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
or
Kaspersky Virus Scan
http://www.kaspersky.com/virusscanner

Spy Sweeper
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html
or
Ewido
http://www.ewido.net/en/
or
SpyBot S&D searches your harddisk for so-called spy- or adbots;
http://security.kolla.de/
or
Adaware
http://www.lavasoftusa.com/software/adaware/

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/ and click Analyse, Save.  Post a link to the saved list here.


Best wishes!
0
 
LVL 14

Expert Comment

by:ECNSSMT
ID: 17154586
sheesh, gotta read before I press Submit...

I meant

addressing the conspiracy theory first; lets not jump to conclusions by pointing fingers... ugh...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 97

Expert Comment

by:war1
ID: 17154595
daniels48,

Check for Rootkit
Rootkit Revealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
or
F-Secure Blacklight
http://www.f-secure.com/blacklight/try.shtml
0
 
LVL 4

Expert Comment

by:Shaun84
ID: 17154714
It could be spam(i thought that aswell) but reading the the post.
There was a sent message from someones machine at same time someone else received it. This open the possibility that on the persons PC that sent the email there could be a viral infection or security whole.
I would remove the machine from the network (incase there is a virus and it spreads through network) run a full virus scan.
0
 
LVL 97

Expert Comment

by:war1
ID: 17177190
daniels48, any update?
0
 

Author Comment

by:daniels48
ID: 17183503
Well we just found that although the meassage wasn't sent be the users machine I logged onto his account and there was the sent message in question and there was about 50 sent messages so it looks like someone had his email password so I chaged it and I am still looking for another blank message to try and expand the headers. I ran the rootkit and found nothing. I had found another blank message on the web access and opened it and all kinds of activity was happening on the lower left  of my screen I went to my email just to compare and I see nothing happening  below when opening an email online. The user deleted it before I could grab it and expand the headers. Sheesh! Thanks everyone for your help... I ran about four anti virus programes and see nothing also Highjack this didnt show anythin that I could tell. Like I said I finally got the user to leave his mail alone so I can still see if I can capture one of the blank messages before I give hime a new email address.


DK
0
 

Author Comment

by:daniels48
ID: 17198574
CLosing this trouble haven't seen any more blank messages and the home office has all the information, hope they try and persue it although I'm not sure if they can find an IP that it was logged into when whoever it was that did this.


Thanks for everyones help
DK
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now