Novell Cool Solutions: Tip
Digg This -
Posted: 18 May 2001
Versions: GroupWise 5.5 EP, GroupWise 6
We recently published this Q& A and have gotten a few stealthy ideas to add to the mix. If you have any other ideas, please let us know.
Mike B. (Secret Agent Man) wrote: Here's the scoop. I have a management directive to intercept/monitor a certain user's e-mail. They are being investigated for theft of company secrets. How can I monitor/intercept this person's e-mail to "audit" their account? I guess what I'm looking for is this:
Force a bcc: to an account of my choice for this user, or Force ALL this users e-mail to go through my SMTP Gateway where I have this capability, or a tool that allows me to copy the person message database to machine and extract the contents. Any ideas?
Connecting to a backup copy of the post office is probably the best way to ensure you are seeing everything the user sees. In GroupWise 6 this gets a little easier to do, but there is no "secret agent man" tool. GroupWise is designed to be a system an enduser can trust with their innermost thoughts, appointments, and secret tasks, so the engineers didn't put in any easy ways to spy on them. That being said, we do have some pretty stealthy admins out there, and we're guessing some of them have secrets they could share. Anyone from the CIA care to comment?
- Corey Reynolds
- Christie Nader
- Syed Quadri
- Michael Gardner
- Thomas Salzman
- Jim Cusson
- Christopher Scott
- Michael Byrd
- Chris Holk
- Jack Gerbs
There's a TID that explains how to allow GWIA to keep a copy of all incoming and outgoing messages. Then he can use the Windows Find command to search the contents of all the files for the user name he is spying on. The user will have no idea this is happening, no matter what workstation he is using or even if he tries sending e-mail via WebAccess.
Here's what it says in TID 10016328. :
To trap GroupWise version 5.5 or later revisions of GroupWise Internet Agent's (GWIA) inbound or outbound messages, follow these steps:
- Double click the GWIA object (details on GWIA object)in NWADMN32 (hereafter referred to as NWADMIN).
- Select the "Server Directories" Tab, then select Advanced.
- Enter a path such as \\server\volume\GW5\ DOMAIN\WPGATE\GWIA\THIRD.
- Select OK.
- Create this directory (THIRD) manually.
- Exit and then restart GWIA. The restart message sent to GWIA from NWADMIN will not cause GWIA to read the GWIA.CFG files.
- Confirm that GWIA created the SEND, RECEIVE, and RESULT directories under the GWIA\THIRD directory.
Inbound messages will accumulate in the \WPGATE\GWIA\THIRD\RECEIVE directory. Outbound messages will accumulate in the \WPGATE\GWIA\SEND directory.
After the necessary message files have been trapped for troubleshooting purposes:
- Delete the path specified in "Server Directories", "Advanced" field.
- Copy any valid inbound messages from the GWIA\THIRD\RECEIVE directory to the GWIA\RECEIVE directory.
- Exit and restart GWIA.
Note: The SMTP daemon will patrol the THIRD\SEND directory and deliver any outbound messages that are put there.
Here's another idea. Aside from grabbing a backup (which, if it's nightly, the user may have already deleted incriminating e-mail prior to the backup), you can give yourself or some manager proxy access.
Kill the user's GroupWise password, use the "grpwise.exe /@u-username" command to enter their mailbox. Go into Tools, Options, Security, Proxy Access and give yourself/whomever access to their entire mailbox. When the user calls to say their password is missing from GroupWise, just give the canned answer of "Oh, the maintenance utility may have found a problem with your mailbox last night and while fixing the problem, stripped your password. You can go ahead and reset it."
Most users don't even know how to set Proxy Access, so the user would probably have no clue somebody had full proxy access to their mailbox. And if you think this is illegal, it's certainly not in my company! We all sign forms stating that nothing is private.
There are a few ways that this can be done.
You can physically go into a user's mailbox by running the groupwise executable with the following switch GRPWISE.EXE /@u-<userid>. For this to work, the POA security level has to be set to low and GroupWise account can't have a password, but us being the administrators, we have the luxury of clearing a user's GroupWise password.
The second way is to give yourself proxy rights to the user's account and setup notifications to notify you.
The third way is to create a rule to forward all incoming e-mails to a specified account. You probably want to turn off the feature from Gwclient/Nwadmin under tools/clientoptions, send, advanced for creating a sent item to track information, and probably put a lock on that feature, this way the user doesn't see any of this happening.
If you want to see GWIA e-mails, there is a whole other way this can be done, which is fully foolproof, but it can't be applied to internal e-mails.
None of these methods is foolproof, but an average enduser won't have a clue as to what's going on. (Just to let you know, I don't work for the CIA.)
You can gather a great deal of information about a user's Internet e-mail activities using e-Mail Xtras software including their gateway reporter. I am asked repeatedly by admins and directors to produce these types of reports on users and their activities. All data can be exported to Excel and put together nicely. The data includes the size of the e-mail, who it was to, the subject line and will show you how frequently and when they send their e-mails. The url for this site is: www.emailxtras.com. Their software has definitely made my job of reporting a whole lot easier!
There is another way which will also take care of other issues your company might have with viruses. Guinevere is a product which Cool Solutions has talked about before. It will allow you to keep a copy of all incoming and outgoing internet messages. I am testing it out now and it has worked nicely. I have been archiving all internet e-mail for 2 weeks. It will do a bunch of other stuff and is supposed to work with GroupWise 6.
Note: Cool Reader Sander Visser also vouches for Guinevere's ability to make copies for incoming and outgoing internet e-mails.
Guinevere will allow you to setup a rule to archive incoming/outgoing mail or to send a copy to another user. Guinevere will allow you to do this for specific users, versus having to capture all messages and then find the ones you need/want.
Aside from changing the password on the account, it is possible to catch every piece of e-mail going in and out of the company. This doesn't work for internal mail, but if the question is about e-mail to someone outside the company, then just place a monitoring computer between the e-mail gateway and the internet. You can then use a packet analyzer to capture the SMTP packets. After capturing the SMTP packets, you can open them up in a text editor and search for the person you are monitoring. This will take you directly to every e-mail they send, or is sent to them. I use the NetBoy Suite from NDG Software. It has a great packet analyzer. Using this method, no user will know you are monitoring unless you tell them so.
One side note, you won't be able to read the attachments. They will already be encoded, but you will be able to read the entire text message.
There is a very simple solution to this problem. I work for the Auditor's office for the State of Ohio so we don't have a problem with anyone e-mailing company secrets.
However, we do have users that want to recover deleted e-mail(s). But when you use GWCHK32.exe to "Re-create User Database" . The user is left with all of their e-mails that could possibly be recovered. Also, "Re-create User Database" puts all of the e-mails in the cabinet folder.
Therefore, I have setup the following procedure to recover only select e-mails. However, this procedure could also be used to check to see what a user is sending and receiving in their e-mail account without the user's knowledge, but we have never used for that purpose.
Step 1. Using GWCHK32.exe do a "Structural Rebuild" on the user's GroupWise account. When you do a structural rebuild on a user's GroupWise account it produces a backup file of the user's user<fid>.db file. The name of the user's original user<fid>.db file will be renamed to user<fid>.db<a-9>.
Step 2. Rename, copy or do whatever steps you think necessary to preserve the user<fid>.db<a-9> file created in step 1.
Step 3. Using GWCHK32.exe do a "Recreate User Database" on the user's GroupWise account.
Step 4. Remove the user's password.
Step 5. Go into the user's GroupWise account and select the e-mail(s) that you are trying to retrieve and forward them to another e-mail account.
Step 6. Delete or rename the user's user<fid>.db file.
Step 7. Rename the user<fid>.db<a-9> file created in step 1 to user<fid>.db
Step 8. If you are just wanting to recover select e-mail(s, forward the e-mail(s) from step 5 back to the user's GroupWise account.
Note: Since the user's GroupWise password is kept in the user<fid>.db file. If you want to hide the fact that you were in a user's GroupWise account the user would never know that you were in their GroupWise account because you never changed or removed the password from the user's original user<fid>.db file.
Feedback About this Article
Do you really think it is a good idea to tell or spell out to the end user how to access another user's account? Granted, the switches are in Help, but come on. Let's not spell it out. Hopefully we all have passwords set or have enforced the use of passwords in GroupWise. For those sites that don't enforce security or make use of low security, don't you think you might have just opened Pandora's box?
Editor's Note: Yes, we had a lot of debate around here before running this piece. There are good arguments on both sides. We have received a lot of e-mail from people who suspect their sys admins or power users are secretly reading their confidential e-mail. In one case, there were printouts being taped to the walls of one office building, containing some very steamy private stuff, and the people in that company didn't have any idea how someone could get into their mailboxes and do this. They hadn't bothered to set passwords because they thought it was inconvenient to type it in, and were horrified to learn how easy it is to access unprotected mailboxes. We explained that it didn't have to be someone with admin rights who was peeking at their e-mail. If they hadn't set a password, any smart user could get into their box if they could guess their user name.
On the other hand, we've also heard from a large number of admins who need to know how to monitor e-mail to catch industrial spies.
It's a delicate balance, we know. In the end, we hope that educating users and admins alike will create a healthy awareness of the importance of setting and periodically changing passwords, and will also allow companies to protect their intellectual property.
I think that after 3 weeks plus of reading how to intercept GW e-mail, you need to state that it may be illegal to do so. Depending on the company's written policy and the acceptance of those policies by employees, intercepting e-mail messages may leave you (the network admin) and your company open for potential criminal exposure. There is a lot of case law around the "The Electronic Communications Privacy Act of 1996. This act does protect e-mail. There are ways around the act, but is best to make sure you are covered before finding yourself either in a civil or criminal case.
Editor's note: There is indeed a great deal of debate raging around this issue, and it is important that your company's employment policies are carefully written to protect you and the company against exactly the kind of litigation Jack describes. In this article, we are assuming that your HR and Legal departments have taken care of this essential duty, and that when they turn to you as a system administrator to help them protect their intellectual property the process is legal and fair. You should contact your Human Resources director if you have any questions about the policies in effect in your company, and make sure that they are aware of this important issue.
For more information about this issue see:
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com