Solved

Email changing outlook 2003/exchange 2010

Posted on 2012-03-20
18
508 Views
Last Modified: 2012-03-21
If user X sends user Y an internal email using the corporate exchange 2010 server. If say for example the text of the email body changed somewhere (both use outlook 2003 to send and receive email), how could you see who edited the actual email body, i.e the sender or the recipient?

Say user Y has an email in there sent box with one version of the email. And user X has it in their inbox with a totally different email body text, how could/can you check which one of them maliciously edited the email body text?

I.e.

Could it be user Y sends and email, then decides “Oh no I didn’t mean to send that that will get me in trouble I’ll edit my sent email and then blame then on changing it maliciously at their end”.

Or could it be user X receiving the email, then decides “Ah I’ll change this and report on them for sending inappropriate email” so decides to edit the email in their inbox and then leave it there – and then as the sender has deleted their sent email and emptied trash can and its expensive to restore a backup etc etc etc

What audit logs show amendments to email body text and/or attachments? Can you assist on how or where audit logs or modification may be shown? Be it on the client side or on the exchange server side?

How can you prove the item in the sent box and the item in the recipients inbox, if they don’t match – how can you prove who was being naughty and editing it?
0
Comment
Question by:pma111
  • 9
  • 5
  • 4
18 Comments
 

Accepted Solution

by:
William Boyd earned 250 total points
ID: 37742715
A user can't typically edit a message in their inbox.  Obviously, they can make changes when they forward it, but if the message is resident in the inbox then it should not generally be able to be changed.

I think what you're looking to achieve is "non repudiation"...a $10 word that basically means that once a message is sent, the sender cannot deny sending it. That typically requires signatures.  The upside to this setup is that the content of a signed message cannot be changed without stripping off the signature.

The issue that you'll probably run in to - even if your backups are good enough for you to pull each message from the Exchange logs and reverse-read the trail to find the anomaly - is that the sender can always claim that he or she was compromised in some fashion.  While each user has an individual account, there's always the chance that an account could be accessed by someone else (either an unlocked and unattended workstation or an actual break-in).  While it isn't necessarily likely, it is plausible enough to preclude "proof".

Digital signatures can be implemented in conjunction with two-factor authentication if you're looking for a way to enable your infrastructure to facilitate non-repudiation.  Natively, though, there are simply limits to what you can feasibly "prove".

Disclaimer - as a government employee, we have some pretty strict rules about how far we can dig before calling in a legal authority.  I am not familiar with what privacy laws mandate outside of our circles, but to dig in and look to that level of depth for us without a legal mandate (such as a warrant) would be a no-no.
0
 
LVL 7

Assisted Solution

by:abdulalikhan
abdulalikhan earned 250 total points
ID: 37742723
You can modify the view and add columns in outlook to see who modified it and when. The columns which needs to be added are,

Changed By
Modified

If the email dont exist you can trace the message through Message Tracking.

If the HTML is changed to Plain text then their is some other issue might be related Anti-virus on Mailing server.
0
 
LVL 3

Author Comment

by:pma111
ID: 37742729
I just opened an email in my inbox (outlook 2003), right clicked the email, chose "edit message" from the popup menu, and then file > save and its changed it.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37742736
Yes.

Now you add the column in the through the view and check when modified and who modified.
0
 
LVL 3

Author Comment

by:pma111
ID: 37742745
>>abdulalikhan

Are you on about "field choser"? I cant see the 2 fields you mention, what version of outlook are you using?
0
 

Expert Comment

by:William Boyd
ID: 37742820
Right-click on the bar above your messages (From, Subject, Received) and select "Field Chooser".  In the drop-down that pops up, select "All Mail Fields".  This is where you will find "Modified" and "Changed By".

Your changed message...is still in your Inbox?  Or did it save in Drafts?  I am admittedly handicapped because I am working with Outlook 2010.  If a message can be changed in the Inbox that way, then either we have always had a GPO to disallow this, or I am just undereducated...  :-)
0
 
LVL 3

Author Comment

by:pma111
ID: 37742824
For some reason - modified date/time seems accurate, but "changed by" just seems blank? Any idea why?
0
 

Expert Comment

by:William Boyd
ID: 37742962
Mine does the same thing.  It either shows my own name or nothing.
0
 
LVL 3

Author Comment

by:pma111
ID: 37742984
It seems to be a machine issue. I tested 5 mailboxes from 5 individuals. 2 of these have the same device, the other 3 have a different device. On 2 the modified and changed by field is accurate. On the other 3 the modfiied updates if you edit it but the changed by stays blank. Weird!
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Expert Comment

by:William Boyd
ID: 37743002
Are any using PST files?  That could have an effect.
0
 
LVL 3

Author Comment

by:pma111
ID: 37743042
All have a PST open but the edited by was in the inbox not the PST archive.
0
 
LVL 3

Author Comment

by:pma111
ID: 37743066
I wonder if you can view "changed by" on the server side, albeit I cant access exchange like an admin.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743246
I am using outlook 2010 in cached mode and can see the proper user modifed name and change date.

I assume blank means it is the default message which means not modified and when you change it yourself then your name is displayed.
0
 
LVL 3

Author Comment

by:pma111
ID: 37743254
>>I assume blank means it is the default message which means not modified and when you change it yourself then your name is displayed.


No, when I modify it the modified date changes but the changed by name doesnt change at all, i.e. it remains blank. I am not sure how to check if I am running "cached mode" but I am using 2003 not 2010. How can I check?
0
 
LVL 3

Author Comment

by:pma111
ID: 37743308
I think I am running cached mode. Maybe I'll untick that and see if it makes a difference.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743318
Ok Share your findings. Also see what SP level you are working on. Please update the lastest Service pack for office.
0
 
LVL 3

Author Comment

by:pma111
ID: 37746174
Yes, unticked use cached mode, restart outlook, edit an email and it works!
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37746203
Thats good.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you don't know how to downgrade, my instructions below should be helpful.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now