I have just taken over a new client and completed what I felt was a reasonable change over by ensuring all domain admin passwords were changed, remote access changed etc and went through active directory with the new client and ensured that no users were there that didn't need to be.
Anyway they have brought it to my attention that they believe sensitve information is being leaked via email and think there is a hole somewhere, so I dug deeper and did some message tracking and found that exchange 2007 had the journalling feature enabled and set to globally record all messages. Now this is a small organisation and my understanding for jounalling is for Legal and Archival purposes, neither of which appears neccessary for this group.
I wondered if there was a way to check if the journaling email was being remotely accessed via webmail or any other way to ascertain if this email is being misused. beyond confirming that the feature is enabled I can't really prove any maliciious activity. I haven't changed the password yet in the hope of discovering a way to track it.