Person X has a high speed cable ISP. IP address of X's home PC  on Jan
1 , 2005 is 11.22.33.44 (automatically obtained from ISP). X has
access to his company email by using Outlook web access from home PC.
The company's mail server is hosted by an ASP Y. Can the following be
achieved? Can ASP Y server logs show that an email was sent from a
user Y (who works in the same company as X) from 11.22.33.44?
Basically is it possible that someone can set up X in this way for
some malicious deeds? If yes, how?

---

Clarification of Question by nick1971-ga on 14 May 2005 20:05 PDT

Amended question:
Person X has a high speed cable ISP. IP address of X's home PC  on Jan
1 , 2005 is 11.22.33.44 (automatically obtained from ISP). X has
access to his company email by using Outlook web access from home PC.
The company's mail server is hosted by an ASP Y. Can the following be
achieved? Can ASP Y server logs show that an email was sent from a
user Z (who works in the same company as X) from 11.22.33.44?
Basically is it possible that someone can set up X in this way for
some malicious deeds? If yes, how? Please answer for two circumstances
- a) Z's password is compromised b_ Z's password is not compromised.

---

Request for Question Clarification by sublime1-ga on 14 May 2005 22:39 PDT

nick...

The discussion by galaxyhead-ga is pertinent if your premise
is that someone is able to access X's home machine, but it's
not clear to me if that's what you mean, or if you're asking
if Z can create an email from their common worksite which 
would show up in the ASP Y logs as having been originated from
X's ISP address. This latter possibility is very unlikely, as
spoofed headers can be detected fairly easily.

---

Clarification of Question by nick1971-ga on 15 May 2005 06:26 PDT

Clarification:
1. Not sure if X's home machine is accessible - X has an open wireless
LAN set up at home. Could someone hijack his PC and do this from X's
PC at home?
2. Can Z or anyone else create an email from their common worksite (or
even anywhere in the world) which
would show up in the ASP Y logs as having been originated from
X's ISP address? 

The thing is: X has been set up by someone - I need to figure out how
this was achieved. It is not important to determine who did it - but
if I can - that's would be awesome.

---

Request for Question Clarification by sublime1-ga on 15 May 2005 13:00 PDT

nick...

If you have access to a copy of the implicating email,
you can use the information in the following article to
analyze the headers and find out more about its origins:
http://www.usus.org/elements/tracing.htm

If you have access to the server logs, it would certainly
help to clarify things as well. While it might be possible
to create a spoofed email at the common worksite that would
appear, at first glance, to have been sent from X's home PC,
the analysis above would quickly detect this, and the server
logs should only confirm the spoof.

As for hijacking the home PC, certainly it's possible that
someone broke into the home. Most people have much less
security than they think. And it's theoretically possible
for someone to access the internet through an open wireless
LAN, but to access X's computer via that route, if it's 
possible, would be the work of a professional hacker vs
the typical skills of an office co-worker. A lot would
depend on the level of security on that PC, such as the
existence of a firewall. I don't see where we can do 
anything but speculate, in this regard.

sublime1-ga

Most smtp servers for outgoing mail still donot require you to
authenticate. You need authentication for only downloading your mail
from a pop3 or imap server. Thus, it is possible for you to send mail
using X's machine that will "appear to come from 'z'.To acheive this
you could start a telnet session from 'X' with your smtp server on
port 25 and manually enter the full smtp message with "from" feild
containing 'z'`s id. For the novice you can do this by just
configuring outlook as Z would. You dont need to enter a password to
send mail. Only to recieve(hopefully).
    However, if you do need a password,i.e your company has a strict
security policy and your sysadmins have implemented it properly. You
will be asked for the password by outlook even while sending the mail.
Then you will need to provide the password of 'Z'. This then is a long
story. Which I will not discuss now.
Hope it helps....

no its not possible... when you send an email, it first goes to the
server for example hotmail, or gmail, and then it goes to the
recepient. SOO hotmail or gmail DO have acceses to these emails,
becasue they are in there servers, i dont know how long they keep them
there, BUT it is possible for them to read an email you have sent, or
an email that you have received. get it?

Something should be clarified here:

X's home network has a network with wireless capabilities.  Is
11.22.33.44 the IP address of the PC (unlikely in this scenario) or of
the broadband router?

If 11.22.33.44. is the IP address of the broadband router (assigned by
the ISP), and the internal network is utilizing RFC 1918 addressing,
then *all* internet connections from that network will (via NAT) come
from 11.22.33.44.

In that scenario, all Z needs to do is access the open wireless
network and (this is the important bit) log in to OWA as user X.  If
user Z cannot login as user X to the OWA server, he will not be able
to pretend to be user X.

If the OWA server at the ASP requires SSL for access (almost certainly
-- and if not, you shoudl get another ASP because this one has zero
idea about what they're doing), Z will need to install a keystroke
grabber on X's PC (which will require either physical access or
hacking to achieve) in order to obtain X's credentials.

If the OWA server does not require SSL, then Z can use a sniffer to
capture X;s credentials from the network.  At which point it's a
simple matter to log in to the OWA server and pretend to be X.

Richard