Snooping via MS-Mail

by Schlork

If your company is using MS-Mail (not MS-Exchange) for its email system, the following describes a way to snoop through other people's mail.

MS-Mail allows users to either store their mail and attachments on the mail server (the default option) or locally on the user's hard drive (or another network drive).

If mail is saved locally, it is usually stored in a file called MSMAIL.MMF or MAIL.MMF in the \WINDOWS directory.

If it is stored on the mail server, each user will have a unique filename with an extension of .MMF  Example: 000003C2.MMF

These files are stored in a directory called \MMF\ which makes them easy to locate.  It is not known at this time how to cross reference a filename of 000003C2.MMF back to user "Jane Doe."  More research will need to be done.

The first 512 bytes of the MMF file is a header, which stores information about the file's size, the number of messages and attachments, password, etc.  The rest of the file is (presumably) the message data and attachments.  It is compressed/encrypted to keep prying eyes (like ours) away.  The method of encryption doesn't matter; we'll let MS-Mail do all the work for us.

If the header of the file gets destroyed, the MMF file will need to be reconstructed.  Luckily, MS-Mail has a fantastic MMF file rebuilder included!  Using Mr. Norton's Diskedit utility, or some other hex editor, simply open up the MMF file and wipe the first 512 bytes out with zeros (0).  This effectively removes the password from the file, and allows the messages to be viewed.

It is extremely important that you log out of your mail server!!!  If you are reading someone else's mail while still logged in under your own account, you may end up opening a message with a return receipt attached, which will broadcast the fact that you have read this piece of mail!

Quit MS-Mail, log out of the network, and rename your local mail file to something other than MSMAIL.MMF.  (This is to keep your personal mail file safe.)

If you have your mail file stored on the network, the act of logging out of the network will keep your file safe.

Open MS-Mail again.  It will complain that it cannot attach to your mail server, but it will ask if you want to work offline.  After selecting yes to working offline, MS-Mail will display the login box for you to enter your username and password.  Change your login name to something other than what you login in as.  You do not need to enter a password.  (The password is verified against the mail server; since you are working offline, it can't check it.)

Now MS-Mail will tell you it cannot find your mail file (because you renamed it) and it will bring up an "Open New File" window.  Point MS-Mail to the new MMF file with the trashed header.  It will come up with a box that says that the file has an inconsistency and will need to be repaired.  Depending on the size of the file, it can take a long time to reconstruct it, so be prepared to wait.  While the file is being reconstructed, you cannot switch to any other windows, so your machine is completely crippled during the reconstruction phase.

Once the file has been reconstructed, most of the messages will appear in the "lost and found" mail folder.  Attachments will usually be lost.  A portion of the messages will also be lost.  Results will vary with each file that you try to open.

In fact, it may not let you into the file at all, telling you the username or password was invalid.  You should, however, be able to get into most of the files you try, and be able to read a good portion of the messages inside.

Another thing to try is to copy the 512-byte header from your personal MMF file over the top of the target MMF file.  You will need to enter your login name and password for this file, but after reconstruction, you will probably have a better chance of getting access.

Here is some information that I have gathered about the headers in MMF files:

Most of the header is zeroes.  I assume some of the data is repeated for double redundancy.

The fact that the file can be reconstructed without the password makes me think that the password is used only for verification of the user, not as a key for decrypting the file.  This means that the password verification could probably be removed from the code in MS-Mail altogether, allowing any file to be opened and all the messages/attachments preserved!

More research will be done on this subject.  I will also be doing work on MS-Exchange shortly.

Have fun!