I had a client yesterday that has 6 users with mailboxes on an Exchange 2007 SP1 server call me to say 3 of the users had lost all of their email, contacts, etc on the computers that they always used without doing any recent configuration changes but that they continued to get new email. The Exchange server is kept locked in a room where only the "owner" has access to it when he needs to which is not very often as usually it just sits there doing it's thing like it is supposed to do. The administrator account is also protected by a failry complex password. When I got there I could not find anything wrong with the server or Exchange or anything in the event logs giving me a clue as to what happened. I suspect that someone knew the passwords for these 3 users and decided to logon as them and delete their email. The users are remote users that use OWA or Outlook via VPN client to access email. I was able to restore all their email from a backup from the day before so that they had minimal losses of email but had not explaination of what happened for the client. I did tell him that the passwords for those users needed to be changed ASAP though he did not want me to do it right away and that he would do it later. He did mention, after some questioning, that the users were using a common simple password which reinforces my suspicions that someone decided to get revenge or whatever. There were no failed logon events in the security log to indicate a more random type of attack. Anyhow does anyone have another plausible explaination of what may have happened and is their any way on the Exchange server to track email deletions so that I can look more into what happened at what time?? The users that this happened to are all remote users in different locations so it was not possible for me to examine their laptops. Thanks for any help. Steve
On Jul 24, 7:46 pm, "Steve" wrote: > I had a client yesterday that has 6 users with mailboxes on an Exchange 2007 > SP1 server call me to say 3 of the users had lost all of their email, > contacts, etc on the computers that they always used without doing any > recent configuration changes but that they continued to get new email. The > Exchange server is kept locked in a room where only the "owner" has access > to it when he needs to which is not very often as usually it just sits there > doing it's thing like it is supposed to do. The administrator account is > also protected by a failry complex password. > > When I got there I could not find anything wrong with the server or Exchange > or anything in the event logs giving me a clue as to what happened. I > suspect that someone knew the passwords for these 3 users and decided to > logon as them and delete their email. The users are remote users that use > OWA or Outlook via VPN client to access email. > > I was able to restore all their email from a backup from the day before so > that they had minimal losses of email but had not explaination of what > happened for the client. I did tell him that the passwords for those users > needed to be changed ASAP though he did not want me to do it right away and > that he would do it later. He did mention, after some questioning, that the > users were using a common simple password which reinforces my suspicions > that someone decided to get revenge or whatever. There were no failed logon > events in the security log to indicate a more random type of attack. > > Anyhow does anyone have another plausible explaination of what may have > happened and is their any way on the Exchange server to track email > deletions so that I can look more into what happened at what time?? The > users that this happened to are all remote users in different locations so > it was not possible for me to examine their laptops. All I can think of, and it won't help you after the fact now, is that you could set up a server-side script to trigger on a delete event. But you'd have to assign it to every single folder of every person's mailbox.
Thanks for that info Ross. I have not heard back from him so I guess problem has not reappeared. Steve "Ross Presser" wrote in message news:d9046562-d142-45e6-a6a1-667518db2047@j33g2000pri.googlegroups.com... On Jul 24, 7:46 pm, "Steve" wrote: > I had a client yesterday that has 6 users with mailboxes on an Exchange > 2007 > SP1 server call me to say 3 of the users had lost all of their email, > contacts, etc on the computers that they always used without doing any > recent configuration changes but that they continued to get new email. The > Exchange server is kept locked in a room where only the "owner" has access > to it when he needs to which is not very often as usually it just sits > there > doing it's thing like it is supposed to do. The administrator account is > also protected by a failry complex password. > > When I got there I could not find anything wrong with the server or > Exchange > or anything in the event logs giving me a clue as to what happened. I > suspect that someone knew the passwords for these 3 users and decided to > logon as them and delete their email. The users are remote users that use > OWA or Outlook via VPN client to access email. > > I was able to restore all their email from a backup from the day before so > that they had minimal losses of email but had not explaination of what > happened for the client. I did tell him that the passwords for those users > needed to be changed ASAP though he did not want me to do it right away > and > that he would do it later. He did mention, after some questioning, that > the > users were using a common simple password which reinforces my suspicions > that someone decided to get revenge or whatever. There were no failed > logon > events in the security log to indicate a more random type of attack. > > Anyhow does anyone have another plausible explaination of what may have > happened and is their any way on the Exchange server to track email > deletions so that I can look more into what happened at what time?? The > users that this happened to are all remote users in different locations so > it was not possible for me to examine their laptops. All I can think of, and it won't help you after the fact now, is that you could set up a server-side script to trigger on a delete event. But you'd have to assign it to every single folder of every person's mailbox.
