0

I support somewhere around 50 users doing both help desk as well as server administration. Just recently a manager was suspicious that their employee was automatically forwarding all of his (manager's) emails to their (employee's) personal email address. There have been two separate events that raised suspicion and they have no asked me to look into it.

As far as legality goes... in our state is is perfectly legal for an employer to look into any kind of information of an employee. By that I mean the laptop is company property, it should only be used for company purposes, and they have been warned.

The employee is very technically minded. He knows what he is doing and also has several friends that are employed as pen testers, hackers, etc. In other words, he has connections that could help him.

Does anyone know if this is even possible? It feels like a secret rule on the employers computer that is sending all emails bcc to the employee.

Any suggestions?

squillman
  • 37,618
  • 10
  • 90
  • 145
Mr. Monkey
  • 225
  • 1
  • 4
  • 11
  • 1
    Please do not down vote this without even reading my question. I'm not looking to spy on anyone. I am looking for advice on if this is even possible. – Mr. Monkey Jan 17 '12 at 17:12
  • I agree it's a valid question. I've edited your title to make it a little less of a target. – squillman Jan 17 '12 at 17:17

2 Answers2

2

Yes, it's possible via Outlook inbox rules. If you are in an Exchange environment they still will (or should) be routed through your corporate MTA or at least your internal SMTP relay so you should be able to easily confirm this from there. If your employees send directly to your ISP's SMTP relay then it'll be a bit more difficult to confirm. You'd have to go to the firewall logs if you have one set up.

squillman
  • 37,618
  • 10
  • 90
  • 145
  • Can you give me information? I do not see any rules on the employers computer itself. It must be something hidden. We do have our own exchange server. – Mr. Monkey Jan 17 '12 at 17:13
  • You would need to look at the Inbox Rules in the Outlook profile of the employee you suspect is forwarding the emails. To do that you'll need to be at their PC, logged in as that person. If you don't see any rules there then it's a good chance that they are just manually forwarding the messages. You could also look in their Sent Items folder, but I'm guessing that it's probably clean based on your statement that they're technically minded. – squillman Jan 17 '12 at 17:16
  • If this were me I would not send those emails to my work email. I would send them to a gmail or hotmail, or something similar. I do not suspect they are in his inbox. Does that change anything? – Mr. Monkey Jan 17 '12 at 17:40
  • "Inbox rules" is just the term Microsoft used for their rules mechanism. It unfortunately implies that they affect only the Inbox, which most of them really do but that's not always true. It's possible to set up a rule to forward newly created emails other places as they are being sent. In this case, you would look at the manager's Outlook and see if there is a rule set there. – squillman Jan 17 '12 at 17:42
  • There aren't any rules set in the employer's outlook. – Mr. Monkey Jan 17 '12 at 18:39
  • Then I think you're pretty much at the whim of your server logs or Robin's suggestion. – squillman Jan 17 '12 at 18:49
1

If your switches support port mirroring, you could always mirror both the manager's port and the exchange server, then wireshark the traffic on it (filter to smtp only and set it to save to file when it captures XX megabytes).

That should let you determine if emails are being copyed from anywhere.

Also I would ensure the manager's pc has setting to ask for password when resuming from screensaver and have a sensibly short period until the screensaver kicks in (and also advise him to lock his workstation when he leaves it)- it's surprising how people can use very simple "technology" sometimes.

Robin Gill
  • 2,503
  • 13
  • 13