Join 3,512 readers in helping fund MetaFilter (Hide)


Yes, I'm reading your email...
June 5, 2007 1:59 PM   Subscribe

I need a good email monitoring program for my workplace.

My workplace is having problems with employees giving vital information to one of our competitors, and it is hurting the company. I was asked by my boss ( as I am the resident geek ) to find a program ( not a network device ) that we can install on a computer to see what an individual is emailing. We don't necessarily need to keep track of incoming email, just outgoing. We are using Windows machines with Win2000 on them and we use Earthlink email with Outlook Express. Free would be great, but we can pay, so all suggestions are welcome. If we can access the data from another computer on the network, that would also be helpful. The program needs to be completely transparent so the individual won't know. Also, practical tips for keeping it from being found & removed by antivirus/antispyware programs would be nice. Thanks!
posted by tdreyer1 to Computers & Internet (14 answers total) 2 users marked this as a favorite
 
People come in all varieties of smart and stupid. I think a person would only have to be moderately smart to not send confidential data to competitors using his or her work mail, and I don't think there's a tool that will let you track someone's Gmail/hotmail/whatever unless you start talking about recording all their keystrokes or something.
posted by blueshammer at 2:03 PM on June 5, 2007


There's a name for this technique, but I've forgotten it:

Create a new piece of information. Make sure everyone knows it's important and secret. Give everyone a copy, but make sure each person gets a slightly different copy.

When the information gets out, note which copy was released, and find out whose copy it came from.
posted by odinsdream at 2:06 PM on June 5, 2007 [3 favorites]


Do you pass all traffic through a proxy or firewall on the way out to/in from the internet? If so, you could use something like GFI MailEssentials for SMTP, which is not only a spam filter for your network, but is an SMTP "trap" as well, allowing you to set up filters to CC you on inbound or outbound mail to/from specific addresses. The software could then be installed on your dedicated proxy machine, and no one would be the wiser.

If you needed an excuse to install a proxy, you could use the capabilities of the spam server filtration as a dodge, as it would actually be a worthwhile purchase for the office.

It's not free, but it does have a full-version trial period (I believe it's 30 days). If you only needed to monitor him for a little while, then it's effectively free.
posted by thanotopsis at 2:06 PM on June 5, 2007


odinsdream is referring to a Canary Trap.
posted by niles at 2:29 PM on June 5, 2007


I second GFI products. The major problem for them is that e-mail cataloging can get huge, fast and they don't have a great system in place to deal with this. If you're only needing <6 months of data at a time, it will be doable. i found the archiving features to be lacking when i wanted it to say, flip over every 100gb and set the data to burn to a dvd or tape backup.br>
Also, I would highly recommend getting a small business server and using Exchange (very, very simple to setup and maintain) and drop the Earthlink nonsense. Set your firewall to block any mail not coming from that account.

That should help you get rid of all but the most crafty individuals, at which point the monitoring/restriction begins to get exponentially more expensive in relation to blocking achieved.
posted by geoff. at 2:38 PM on June 5, 2007


Thanks for the suggestions so far. I want to remind everyone that the solution should be individual computer based, not server or network. Thanks.
posted by tdreyer1 at 2:58 PM on June 5, 2007


As I understand it, you are using Outlook express to send mail via Earthlink's Outbound server smtpauth.earthlink.net

First, allow me to point out that if users can run their own spyware check and remove software IT installs, you have big security holes outside of this issue.

Second, set up a basic smtp server using any old computer on your network. This server copies messages and sends them out through the normal earthlink smtpauth server.

in his computer add a line to the hosts file listing your new server's IP as smtpauth.earthlink.net

If you want to get complicated you could assign your server an external IP and some random port (like 666)

that way if he is a laptop user, you could capture emails sent when he isnt at work.


Alternately, you could send out a message warning all employees that network monitoring tools are being implemented and that any use of company equipment for inappropriate activities could result in termination. In other words, you could bluff.
posted by Megafly at 3:18 PM on June 5, 2007


Are you sure it's going out your company email addresses? If I was going to commit industrial espionage I sure as hell wouldn't use my works email account...

I think the best solution to the problem is to implement a man in the middle SMTP server. All your clients connect to it and it forwards your mail to Earthlink or wherever. A simple DNS change would mean that the clients machines would not have to be reconfigured and then you can install whatever sniffing software you wanted on that SMTP server for later review.

Also, make sure that the users know that their internet access is being monitored - you may have to get them to sign something if it wasn't part of their employment contract as I'm not sure of the legalities of eavesdropping without knowledge.
posted by puddpunk at 4:08 PM on June 5, 2007


If you have access to the vict--I mean, employee's PC, your best bet is probably some sort of keylogger. There's no really good way to log the email that's being sent out that's not trivial to get around, or easily detectable, aside from keylogging.

I don't think this is the optimal approach -- I think that a server/network-side approach is WAY, way better, and before you go down this route, you should try to explain to the PHBs why installing software on the user's machine isn't the way to go.

But if they really want to snoop that way, rather than on the network level, I'd just install a keylogger that has some sort of remote-reporting ability (say, emailing or FTPing you the archive after a certain span of time). Then you can just use text processing tools on the resulting file to hunt for email addresses among the other text.

The keylogger file will also contain passwords and other data, and is probably about the most intrusive level of snooping you could do, save actually putting a camera in the employee's cube with them.
posted by Kadin2048 at 4:49 PM on June 5, 2007


Send important stuff to each employee with a different, invisible (1pxx1px) picture are hosted on your server.
If you are lucky this picture gets automatically accesed, not only by your employee, but also by the guy who gets the confidential information. Since you use a different pic for every employee you could identify the leak...
posted by yoyo_nyc at 5:45 PM on June 5, 2007


If your network converges at a single hub like a router, you should just be able to plug a machine in there and sniff the traffic right off the network.

The preferred approach for this, I believe, is something like Wireshark running on a linux box. I've not run it on a Windows machine, but I'd assume that it depends somewhat on your network adapter in terms of when you put it into "promiscuous mode" to listen to all the network traffic.

Anyway, once you're plugged into the network, it's trivial to listen to whatever network traffic you like -- in this case, you'd want to listen to port 25 for outgoing smtp traffic.

Not only is this approach easier (and typically free), it doesn't involve installing anything on the target machines.
posted by ph00dz at 6:37 PM on June 5, 2007


I'm going to guess you have some vendor specific hardware and not a unix box of some sort acting as a firewall. In this case I'd set up a linux/bsd box with two NICs and bridge them. check out tcpdump. You can read the dumps in Wireshark. From there you can do searches through the packets for mail data, keywords... you name it. Keep in mind even if they're using yahoo, msn etc on the work line, it still may be encrypted, and you may be SOL.

I would personally go with the Canary Trap. Social engineering often trumps a technical solution.
posted by cellphone at 7:54 PM on June 5, 2007


If the user is using an SMTP server outside your company to send the mail, and using SSL, or is using a Web mail service (also SSL), you're basically SOL.
posted by kindall at 8:28 PM on June 5, 2007


It's usually trivial to get information out of the office by usb stick, digital recorder or even hardcopy without using office systems to send email. Once its outside ...

You're here instead of elsewhere indicates that you probably have an ad hoc office network with a laissez faire policy (up until now) - not good for security.

Still, if you have to scan the outgoing email, this will only make sense if your leak is not computer literate - probably the case so it's worth a shot.

Sniffing the network traffic will give the quickest results by identifying what traffic is going out and where it's going, where it's from, protocols/encryption etc might indicate who likely candidates for further study are. If the leak is only sending once a week or less it could take awhile for the traffic analysis to find something. If you're in a large technical environment you may also flag innocents, so take care.

Bring in a network hotshot to do the setup and analyse the traffic, unless you're inclined to learning about TCP/IP protocols and sniffing software.

Then there are simple tricks like using a laptop with a data card and bypassing your network completely...

If the leak is knowledgable, you're sol even in a locked down network. Try some social engineering in parallel, it might bring results more quickly.

Ultimately you have to consider the cost of implementing a secure environment (expensive and imperfect) versus the risk.

Good luck.
posted by w.fugawe at 3:40 PM on June 6, 2007


« Older Doing my foo@foo.com email stu...   |  Does anyone have any recommend... Newer »
This thread is closed to new comments.