Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Alistair Johnson & Gaby Brow » Tue, 13 Apr 1999 04:00:00



I'm unsure if this is a known feature of Outlook 98 / Exchange 5.5 but ...

Having recently set up our Exchange Server we were sending some messages
back and forth for testing purposes.  Using Outlook 98 as our client we
discovered that we could open messages we had received, make changes and
then choose File / Save to save these messages back to Exchange.

There was no evidence that we could find that the message had been tampered
with.  Now we are questioning the viability of our planned migration from
GroupWise -> Exchange, as non-repudiation of email is a fundamental
requirement.

Is this a known bug / feature & if so is there a workaround / configuration
setting to remove the possibility of making this sort of change?

Hope somebody can help,

Alistair

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by spamsucks>spridl » Tue, 13 Apr 1999 04:00:00


Are u logged into the test machine as a test user or as ur self..The reason i
ask is if your logged into the computer as yourself you will have rights the
the exchange machine..and the ability to save to the server..


Quote:> I'm unsure if this is a known feature of Outlook 98 / Exchange 5.5 but ...

> Having recently set up our Exchange Server we were sending some messages
> back and forth for testing purposes.  Using Outlook 98 as our client we
> discovered that we could open messages we had received, make changes and
> then choose File / Save to save these messages back to Exchange.

> There was no evidence that we could find that the message had been tampered
> with.  Now we are questioning the viability of our planned migration from
> GroupWise -> Exchange, as non-repudiation of email is a fundamental
> requirement.

> Is this a known bug / feature & if so is there a workaround / configuration
> setting to remove the possibility of making this sort of change?

> Hope somebody can help,

> Alistair


 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Alistair Johnson & Gaby Brow » Wed, 14 Apr 1999 04:00:00


Both as myself (with administrator privilages) and as a test user (without
administrator privilages).

Its quite perplexing.  I've searched Technet & the Microsoft manuals we
have, but can't find a description of the issue I face.  I gather this is
not usual behaviour for a MS Exchange server?

Alistair.



>Are u logged into the test machine as a test user or as ur self..The reason
i
>ask is if your logged into the computer as yourself you will have rights
the
>the exchange machine..and the ability to save to the server..


>> I'm unsure if this is a known feature of Outlook 98 / Exchange 5.5 but
...

>> Having recently set up our Exchange Server we were sending some messages
>> back and forth for testing purposes.  Using Outlook 98 as our client we
>> discovered that we could open messages we had received, make changes and
>> then choose File / Save to save these messages back to Exchange.

>> There was no evidence that we could find that the message had been
tampered
>> with.  Now we are questioning the viability of our planned migration from
>> GroupWise -> Exchange, as non-repudiation of email is a fundamental
>> requirement.

>> Is this a known bug / feature & if so is there a workaround /
configuration
>> setting to remove the possibility of making this sort of change?

>> Hope somebody can help,

>> Alistair

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Neil Whit » Wed, 14 Apr 1999 04:00:00


It is normal behavior of Exchange Server to allow the recipient to modify a
recieved message and save it back to the Server.

If a sender does not want this to happen, they have to select the option to
make the message private. See following Extract from MS Outlook Help:

Mark a message as private, personal, or confidential

1 In the message you want to set the sensitivity level for, click Options  .
2 In the Sensitivity box, click the option you want.

Notes

Marking a message Private prevents the message from being modified after
you send it.
You can mark all of the messages you send with the same sensitivity level.
On the Tools menu in the main window, click Options, click the Preferences
tab, and then click E-Mail Options. Click Advanced E-Mail Options, and then
in the Set sensitivity box, click the sensitivity level you want.

Neil


Quote:>I'm unsure if this is a known feature of Outlook 98 / Exchange 5.5 but ...

>Having recently set up our Exchange Server we were sending some messages
>back and forth for testing purposes.  Using Outlook 98 as our client we
>discovered that we could open messages we had received, make changes and
>then choose File / Save to save these messages back to Exchange.

>There was no evidence that we could find that the message had been tampered
>with.  Now we are questioning the viability of our planned migration from
>GroupWise -> Exchange, as non-repudiation of email is a fundamental
>requirement.

>Is this a known bug / feature & if so is there a workaround / configuration
>setting to remove the possibility of making this sort of change?

>Hope somebody can help,

>Alistair

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Alistair Johnson & Gaby Brow » Fri, 16 Apr 1999 04:00:00


In response to Alistair's query about modifying received email messages Neil
White said:

Quote:>It is normal behavior of Exchange Server to allow the recipient to modify a
>recieved message and save it back to the Server.  If a sender does not
>want this to happen, they have to select the option to make the message

private.

Not allowing someone to modify a recieved email message is exactly the sort
of behaviour I would expect from an Email system.  However, having to mark a
message 'private' to achieve this behaviour is somewhat undesirable (given
the implications for collaboration).

Is there any way to enable this functionality on the Client or Server
without marking a message 'private'?

Alistair.

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Neil Whit » Fri, 16 Apr 1999 04:00:00


In Outlook 98 you can set the options so that all messages sent by the user
(in that Outlook Profile) are marked as Private.

1. From the tools Menu select Options..
2. In the Prefernces page Click on the E-mail Options Button.
3. Click on the Advanced Options Button.
4. Select the Sensitivity to "Private"

You have to bear in mind though that this is only going to work within
Exchange. any mail sent out to or received from the Internet may not have
this set (unless they happen to be generated/received by a compatible
Exchange Server system). My experience is that most mail systems do allow
for original messages to be modified and saved.

Neil


Quote:>In response to Alistair's query about modifying received email messages
Neil
>White said:

>>It is normal behavior of Exchange Server to allow the recipient to modify
a
>>recieved message and save it back to the Server.  If a sender does not
>>want this to happen, they have to select the option to make the message
>private.

>Not allowing someone to modify a recieved email message is exactly the sort
>of behaviour I would expect from an Email system.  However, having to mark
a
>message 'private' to achieve this behaviour is somewhat undesirable (given
>the implications for collaboration).

>Is there any way to enable this functionality on the Client or Server
>without marking a message 'private'?

>Alistair.

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Chris Schar » Mon, 19 Apr 1999 04:00:00


Hmm.. must be an interesting company to work for if that's a concern.
There is a field named last modified, which can be added to the folder
view in Outlook. Messages which have been altered will have a modified
date later than the received date.

Chris Scharff
Exchange Administrator
BV Solutions Group

#include std_disclaim.h


to have said:

Quote:>I'm unsure if this is a known feature of Outlook 98 / Exchange 5.5 but ...

>Having recently set up our Exchange Server we were sending some messages
>back and forth for testing purposes.  Using Outlook 98 as our client we
>discovered that we could open messages we had received, make changes and
>then choose File / Save to save these messages back to Exchange.

>There was no evidence that we could find that the message had been tampered
>with.  Now we are questioning the viability of our planned migration from
>GroupWise -> Exchange, as non-repudiation of email is a fundamental
>requirement.

>Is this a known bug / feature & if so is there a workaround / configuration
>setting to remove the possibility of making this sort of change?

>Hope somebody can help,

>Alistair

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Rich Matheisen [MV » Tue, 20 Apr 1999 04:00:00



>Hmm.. must be an interesting company to work for if that's a concern.
>There is a field named last modified, which can be added to the folder
>view in Outlook. Messages which have been altered will have a modified
>date later than the received date.

And if non-reputiation is an issue then they should be using digital
signatures on the messages. That's what they're for.

------------------
Rich Matheisen
MCSE, Exchange MVP

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Chris Schar » Tue, 20 Apr 1999 04:00:00


True since it's fairly easy to forge an SMTP message in the first
place... good thinking Rich.


rumored to have said:


>>Hmm.. must be an interesting company to work for if that's a concern.
>>There is a field named last modified, which can be added to the folder
>>view in Outlook. Messages which have been altered will have a modified
>>date later than the received date.

>And if non-reputiation is an issue then they should be using digital
>signatures on the messages. That's what they're for.

>------------------
>Rich Matheisen
>MCSE, Exchange MVP

 
 
 

Security Problem: Outlook 98 / Exchange 5.5 lets users change contents of email messages

Post by Kirill S. Palagi » Tue, 20 Apr 1999 04:00:00


But message which never came from outside ExchServ is not SMTP message and
it _should_ be difficult (or at least not that easy) to play with it.

> True since it's fairly easy to forge an SMTP message in the first
> place... good thinking Rich.


> rumored to have said:


> >>Hmm.. must be an interesting company to work for if that's a concern.
> >>There is a field named last modified, which can be added to the folder
> >>view in Outlook. Messages which have been altered will have a modified
> >>date later than the received date.

> >And if non-reputiation is an issue then they should be using digital
> >signatures on the messages. That's what they're for.

> >------------------
> >Rich Matheisen
> >MCSE, Exchange MVP

 
 
 

1. Outlook 98, Outlook Express and Exchange Server 5.5 problem

Hi.  I'm having a strange problem that I hope someone out there can help
with.  I run Outlook 98 (CW) on my laptop and connect to Exchange Server
5.5.

When I'm in the office, I connect via the LAN - generally not a problem.

When I'm away from the office, I had been using the Synchronize feature,
that called dial-up networking, to synch my inbox.  This also had worked
fine.

My problem was that often I'm at client sites where I have no dialup access,
but generally can connect to the internet via their LAN.  So someone helped
me out by configuring Outlook Express as a POP3 client to access my email.
Which worked fine the first day.  The next time I tried to use Outlook 98,
it started duplicating email.  Everything in my inbox was doubled, tripled,
sometimes even quadrupled!

Now I use Outlook 98 extensively (tasks, contacts, etc.) and don't really
want to use Outlook Express since it doesn't share sent items, etc., with
98.  However, I *definitely* don't want multiple copies of old emails
reappearing everyday (especially since it greatly increases the size of my
offline folder store).  Each time I delete all of the dup's, they reappear
the next time I connect in.  Ideally, I'd like to use my one copy of Outlook
98 for all types of connections:  Direct connect via my office LAN, dial up
for when I only have a phone line available, and through the internet when
that type of connect is available.

I appreciate any help you can give -- I've spent the morning searching
through MS Knowledge Base, and can't find anything dead-on.

Thanks!

Kim

2. IMS Setup

3. Security Outlook 98 with Exhange Server 5.5 KMS V1

4. Help! My Info Store Won't Mount!

5. Upgrade HW on Exchange Server

6. Disabling users from purging messages

7. Multiple Logon entries per user with Exchange 5.5/Outlook 98

8. Sharing Calendars between users with Outlook 98 and Exchange Server 5.5