Why is it any of your business? Either delete the email or forward it, as your conscience requires. You aren't the morality police.
Why are you even reading the body of the emails if you're expecting they're for somebody else?
Welcome again to On-Call, our weekly (and preponderantly prurient) piece in which readers share horror stories from their workplaces. This week, we're going interactive, because the situation in which reader “Flash” found himself describes an ethical dilemma The Reg feels un-qualified to address. Flash once had a gig “ …
It's even less interesting than finding porn. It's just a personal email from one employee to another using their employers email system. Does the business allow personal email? If yes then nothing to see. The contents in this case are irrelevant.
I sent an email to a friend today about Friday lunchtime pub time. No different.
> The obvious solution is to just bounce invalid recipients, like everybody else.
Yeah, and I've been bitched at and told to "fix that" by The Big Boss, regardless of how I implemented it or any other consequences. Despite being a tech company, they expected the computer to magically know where to send emails.
In this situation, I would have have blackmailed the two, if the guy had been one of the people complaining about email resolution. Revenge is a dish best served very cold.
If revenge is a dish best served very cold, and revenge is also sweet....is revenge ice cream?
(yes, I shamelessly nicked that from a philosoraptor meme)
Anyway, I've been asked to set up similar 'no bounce' systems, and I've simply told the client - in professional terms - that it's a staff competency problem, not an IT problem.
If they aren't capable of using the address book of their email clients, then they probably shouldn't be trusted to handle a spoon without adult supervision due to the risk of injury.
In this case? I'd have done the same. If the Big Boss wants me to compromise my professional ethics by intercepting staff email on the fly, they can go fuck themselves.
If revenge is a dish best served very cold, and revenge is also sweet....is revenge ice cream?
Only if you milk it for all it is worth, otherwise it is sorbet.
I ran into a similar situation at a previous job. I was asked to transfer archived emails archived on a machine for a coworker who had transferred out of state. The application and method I was given to do this displayed one of the emails in whichever folder was being processed. It happened to pull up one that made it very clear that my coworker was having an affair, that both parties were married, and that she would be working with her new love interest. All in two lines. I finished the transfer and said nothing about it to anyone at work.
As far as I am concerned, the whole thing was an onion ("None ya business" for those not familiar with the term) despite the way Big Brother and Big Business would want us to buy into.
<snip>
"In this case? I'd have done the same. If the Big Boss wants me to compromise my professional ethics by intercepting staff email on the fly, they can go fuck themselves."
I was once asked by a senior sales director of a large UK company if I could monitor an employees email. I said that I could but I would not do it under any circumstance but he could probably employ someone else who would. The director exited screaming and shouting at me, I just went back to work.
1 hour later he came back to me and apologised saying that he had a think about it and with me on watch his emails were as safe as anyone else s and he thanked me for standing up to him.
> This is a security issue, as it allows spammers to identify real email addresses in an organization. If it doesn't bounce, it's a real address.
That's such a 1990s strategy.
- So many email addresses at companies are publicly listed everywhere that this isn't a useful "secret" to protect (see "security through obscurity")
- Anti spam systems are smart enough nowadays to block dictionary attacks - have been for a looong time
- Anti spam systems are pretty good at actually stopping the spam too even if you know the adresses
"This is a security issue, as it allows spammers to identify real email addresses in an organization. If it doesn't bounce, it's a real address."
This may have been the case 20 years ago, but not now. Spammers don't care what bounces. They don't care how many million duff email addresses they're using. There's much more work involved in removing the bad addresses from their spam list than in just leaving them in. Sending out the emails either cost minuscule amounts, or zero if you're hijacking someone else's email server. Bounces cost them nothing at all, because they're not coming back to them. So why should they care?
A company has a black-hole for bad addresses simply to avoid the hassle of handling them. It's a valid strategy, but may result in the lose of emails that could have an actual value to your company.
The obvious solution is to just bounce invalid recipients, like everybody else
This right here, is how email works. User gets bounce, user realises their mistake and everybody is happy.
In this completely made up story the admin thought outside the box without reading any RFCs (as admins are prone to do) thought he was being clever and in the end not only snooped on other people's private lives (I mean using corp email for this stuff is begging for trouble but it's still essentially private) and also broke the entire global email system in the process.
This stuff doesn't have to be difficult but people really so enjoy trying to make it so.
Also if your boss has a problem with your email system working correctly go find yourself a new job and do it now because your company is probably going to go down in lawsuit and you're probably going to end up named as at best a witness and it's going to cost you a lot of money in legal fees.
My viewpoint is that there's no reason for the admin to be reading those emails in the first place - just bounce them. I'm guessing he set this up as a way of snooping, rather than to be helpful.
Anyway, they aren't sharing trade secrets with the competition, the emails aren't illegal. He knows nothing of the details - this pair may have left their spouses which makes the email completely innocent, for example.
It's not for him to judge. I was once told by a colleague that he gets sucked off every time he goes to Amsterdam. I didn't feel the need to tell anybody, especially his wife. None of my business.
"My viewpoint is that there's no reason for the admin to be reading those emails in the first place - just bounce them. I'm guessing he set this up as a way of snooping, rather than to be helpful"
Actually I believe in the article he said that often customers emails would be mis-addressed and he was attempting to forward them to the appropriate recipient. Sounds like a reasonable thing to do for the business.
It just happened that some internal mails were also mis-addressed.
bounce is better. That way as an admin you don't get into a situation you aren't comfortable with. Lets face it, that's between them and their SO's unless it impacts the business, and then its up to their managers and HR to request logs. Whatever my personal feelings are on it, my business one pretty much ends up correcting it and letting it go since that is/was the policy. Of course, I'd then immediately change the policy next week to bounce typoed internal emails after that. I generally follow a don't ask, don't care policy regarding people's personal crap at work...
I've accidentally ended up in similar situations myself on occasion due to monitoring the internet firewall for things like blocked legit sites that needed unblocked and run into someone surfing NSFW's. I'd typically just take them aside, QUIETLY, let them know they could get in trouble if another admin or the security guys saw that, and then let it drop. I generally wouldn't see their userid again pop up again, except for one of the night security guys... yeah, you don't wanna know...
If the acts described in the email were illegal or likely to damage the company (industrial spying, for instance) forward it to the boss. If not, delete or forward, then forget about it. Such breast-beating over a trivial faux pas. Now, if one of the parties involved was the spouse of the original poster, I would understand the agita. Otherwise, you caught a co-worker doing something embarrassing, like dancing to music in their office or picking their nose.
Exactly.
Generally, many employers will have either:
- a policy on the use of work equipment/IT systems/communication during work time, or
- some catch-all clause in the employment contract.
Generally speaking, your response depends on the policies in question. However, internal IT processes and procedures need to be designed with these company policies in mind - if you don't want to be put in the position of reading misaddressed email, don't store or log the stuff!
Any email you send/receive from the company is the property of the company and therefore as an IT employee you're entitled to ensure the company's assets are being used in accordance company policy. Using company equipment for personal use is often allowed but within "reasonable use". In an ideal world you should report this email as abuse of company property and you should be able to remain anoymous as the problem should then be dealt with by the HR dept and the offender's manager as they see fit. It's not your job to pass moral judgements, just act within the bounds of company rules and policy.
Suppose the emails contained evidence of some crime that was later committed? In the financial world everyone, including IT staff, have to take mandatory, annual anti-money laundering training and certification. If you know about potential ML then you're bound by law to report it to the correct company officer else you risk a spell in clinky.
"Suppose the emails contained evidence of some crime that was later committed?"
I'll see your straw man and raise you. Suppose they contained confidential company information that would affect share prices? Difficult to avoid suspicion, even if innocent, if there were then suspicious share trades.
The fact is that intra company email can contain all manner of confidential information. It could be customer or employee personal data. It could be product plans. It could be results of clinical trials. All sorts of things above a support desk pay grade and operation of the email system shouldn't depend on such an employee opening it to route it correctly. It should bounce and give the sender a chance to re-route it correctly, sight unseen by anyone else.
2. Both deleting and forwarding the e-mail will be seen as a judgment call based on morality
No, a judgment call is deleting the email. forwarding is what he was tasked with doing, no judgment required. And, if he is going to police the morals of his co-workers instead of just forwarding the d@mn emails, let him disclose every pen he has taken home, even inadvertently, every time he looked at a personal email on company time, etc., etc.
I believe the correct response is to return the email to the sender, indicating that you had only read
enough to identify that this was not work related.
Then remind the sender that personal messages should be sent using personal email.
Nobody will believe that you didn't read the whole email, but the message that you don't
appreciate having personal stuff like this get misdirected to you will have been delivered.
In my country what he did would have been illegal (and once we had to identify and remove a mail admin who was monitoring the mail of a woman he got "too interested" in...)
Anyway, what people do in their free time is up to them. As long as what they do is not illegal, nor is a true risk for the company, is not a problem of mine - unless, for some reason, I'm very close to one of the involved people and I can understand the situation fully.
Did he sent it to the wrong address? It should have received the standard "cannot deliver" message. I received it by mistake? Delete it.
Sure, it can deeply change the opinion I have about them for ever...
A true BOFH would have filed the email under the names of the two people involved. Just in case, sometime in the future, one of them happened to be in a position to do him a "favour".
Given the sense of humour here and the fact that it's Friday I would have expected the "blackmail both" choice to top the poll. So yay for upstanding citizenship (pardon the contextual pun :) ), booh for not staying true to BOFH principles :).
(and yes, I would have deleted it too - we're still human).
It seems to me that the company in question should have made this policy known to all employees (the one where undeliverable emails end up in a mailbox visible to admins) with a very strong warning that all such emails are liable to being read by people other than their addressees. And if you use company email for that kind of thing, you're an idiot anyway.
Yes, and perhaps put a few hints in the warning that the two perpetrators would recognise, just to make sure they got the message.
Mind you, I'm not subtle so it would probably have gone something like:
"Please remember that the email system is provided by $COMPANY for company business only, not so you can arrange affairs on company time. Please also remember that IT have access to all your emails, especially the ones you don't address correctly and we'd really rather not have to read your home made porn anymore."
Its a hornets nest. Another problem is that you don't know if his e-mail would have been appreciated or could be filed as sexual harassment. One way or the other erotics has no place in the office, so this is definitely the best way to go: remove it, the guy will probably have gotten the hint and yeah...
Then again: maybe because the e-mail got deleted the guy felt rejected by the woman and so he left the company? ;)
Nothing to do with the admin, he shouldn't be reading the emails, should just forward them on.
Why even have a catch-all for misspelt emails? Let the user receive an undelivered mail message like every other mail server does.
Sounds like an excuse to read other peoples mail.
Correcting recipient addresses does in no way imply that you can read the contents.
What he should have done is set up an application that only shows the recipient list and hides the content. Anyone asking could therefor be shown the application and rest easy that their smutty secrets remain hidden. And he could have lived his life blissfully unaware of the rampant beast lurking below.
It sounds like the email "bucket" needs a little more functionality. After something has been undelivered for a set amount of time, simply knock it back to the sender as "undeliverable".
That removes the need to actively do anything and the response can be made as "machine generated" as the admin likes. It depersonalises the situation and alerts the sender that something was amiss.
"The first rule of email admin is that you don't read the content unless it's addressed to you."
Best comment, so far. Have an upvote and a story from me. Anon, because.
In this international company, the french branch of HR was the most perverse lot of fuckwits, and they, on some sites, would routinely come to the local mail admin to ask for access to staff mailboxes, on the ground of "wrongdoing" (that would never be explained). Nothing written, all verbal insinstant requests.
Of course, the goal was to pressure people into leaving, for whatever reason. So much convenient than firing them (french contracts).
As the corporate guy in charge of email in the whole company, I got so fed up to hear that mail admins were routinely complying with the requests that I sent all of them an email dismissing those requests as unethical, and illegal (they are in France) and urging the guys to ask for a written request.
At the time, I got a lot of flack, from the mgr of one of the guys because my email had a bit savaged his little trade with HR.
However, years after, when I had to investigate through the mailbox of the CEO of the company (this was serious stuff, with layers etc ...), the request came in all proper and written by the right VP.
Ethics, unlike morals, always win out people's respect.
Probably the second rule is something like "even though I have no interest in reading your mail, each and every host it goes through does have the capability of reading it: assume that I'm the exception among these admins and if you want privacy, encrypt the mail or don't use email at all".
Not using email at all would have been the smart thing to do in this case, since the recipient metadata is still in the clear. But then, the sender probably wasn't the sharpest tool in the box and no amount of explaining would have led him to do the sensible thing.
Best course for this admin would have been to refuse to scan the emails in the first place. Or only set up filtering with the policy that all misaddressed mail will go directly to a public (office-wide) noticeboard. Either that, or refuse to look at the content and base redirections solely on the To: field. I prefer the more dramatic option, though.
In person (no e-mail trail) take one of them aside and suggest they should switch to a non-work e-mail for personal correspondence.
It's none of my business what they get up to, but if they're using a network I have control over then someone could make me make it my business, and I don't want to be in that position.
And let them know that you're a snooping peeping Tom?
God no, I don't go looking for people's correspondence or web traffic. I'm only thinking of the scenario where I saw it in the course of my normal work. Like HR leaving someone's firing papers on the printer, the very act of trying to figure out what to do ("Who's is this? I should return it to them") leads you to learn things you didn't want to.
Catch-all addresses attract spam, and you're either going to get fried for snooping, or fried for passing mail on to the wrong address. Even if you survive a potential frying, you've made an open-ended commitment to sorting out typos for users who won't bother to check where they're sending stuff.
They are useful as diagnostic tools though, especially when rogue users start setting up shadow IT systems and misconfigure them... Yeah yeah, this is an ancient example, so shoot me...
Me: Please shut down your Netscape Collabra server, your "intranet" is not officially sanctioned and is insecure.
Him: This matter does not concern you.
Me: Security of the campus network IS my concern. It's actually part of MY job.
Him: I still don't see why it's any of your business.
Me: Do you admit that you are running an unauthorised server on personal equipment ?
Him: I refuse to incriminate myself.
At this point, I hold up a print-out of a bounced e-mail from the offending machine, because he cocked up the configuration.
Me: Are... You... Run-ning... A... Net-scape... Coll-ab-ra... Ser-ver ?
It's a bit like that scene from Red Dwarf where Captain Hollister asks Lister about Frankenstein, but I was determined that this guy and the intranet weren't going to have a baby intranet.
Our system policy is to keep a copy of everything that goes in or out - this is a requirement in some environments and a lot more common than you might think. The backups are deleted automatically (also policy) after 90 days and very occasionally I have to look through the backups to retrieve a specific message based on Subject and Time.
So I could look at a lot of stuff but I don't - it's none of my business unless there is some requirement to do so - I sleep well at night.
Catch-alls, backups and network traps are legion - have we not learned that yet? If you are doing anything that you don't want published - then don't leave a record.
....which I'm pretty sure everybody here is already aware of is:
Never put anything in an unencrypted email which you wouldn't be happy to write on a postcard and send through the post in plain sight of the postmen, sorting office workers, that nice young lady who works in the post room at work, the trecent school leaver trainee who actually drops stuff at your desk, and all your colleagues who might casually glance at your in-tray as they walk past your desk.
Because that's pretty much what you're doing if you send an email without end-to-end encryption...
"write on a postcard"
Yeah, that's the lesson that users need to learn and re-learn and re-learn ad nauseum. Most users still think of email as being like a letter sealed in an envelope and it will still get to the correct destination even with a typo or two because the nice friendly postman will recognise the typo and still deliver it to the right address because s/he knows all the customers on the route personally.
I found one in a mail loop between one or our systems saying that IT were a bunch of wankers and that the new policy of not sending personal emails was useless as they would never know, the down side of that one was it was a student on the last week of his uni work experience required for his qualifications, when he was escorted off the premises, I passed it on to his boss.
I've been called FAR worse things over the years by users.
I would have taken chummy aside and "had words", maybe go as far as a scare-the-bugger-half-to-death, but dobbing him in like that ? That's just cold.
Anyway, I have room to talk about bad behaviour on placements - I was blind drunk by 10am on the day I was supposed to meet my placement supervisor for the first time. Okay, it was my 21st birthday, and yes, THAT was my "present" !
That's what I would have done too. If illegal delete else forward. Just because you can enforce your morals on your users does not mean you should.
Of course, in bigger companies the bosses can do exactly that with codes of conduct and the like which you have to factor into your decisions.
Correct the address, but in a way that it will go to a different recipient!
Of course, this only works if the original recipient's address is close to someone else. But since they can't type the address correctly, why not get that email on its merry way? "Gee, I see that email didn't go to its intended recipient. Too bad you typed in someone else's address..."
While I agree that catch-alls can be a problem, in small service companies they can be a life (company) saver.
A small business I still do occasional work for has a catch-all for anything that hits the server. This is frequently hit by potential customers that (for example) spell 'accounts' with only one 'c'. If these emails aren't picked up that's a business loss small companies simply can't afford these days.
Sorry to come back on this, but a bounce is absolutely the worst thing you can do as a small service company. The original sender won't read the message (probably assuming the bounce was due to the business going bust) and will simply contact another company.
As for trapping the 'common' mistakes, that would be one hell of a long list! You should see some of the ones we get. The company I'm referring to has two main addresses, 'Accounts' and 'Service'. As well as that there are about five named individuals. The combinations are endless - most are highly amusing too!
"While I agree that catch-alls can be a problem, in small service companies they can be a life (company) saver."
There's a difference between external mail and internal mail in this respect. And the larger the company the greater the probability that there will be legitimate internal mail that's above the monitor's level of responsibility.
If you think you need a catch-all make sure everyone knows about it and whose will be reading it. At least anybody who's sending anything sensitive (personal or business) can either take extra care with addresses or choose not to use email. Shock-horror - other methods of communication exist!
You two must be guests from some parallel universe. Around here, real life seems to correlate nicely with the poll result - where majority of responders selected one of two "it's none of my damn business" options.
Yes, I've heard an occasional story of peeping Toms in IT, but these don't seem to last long enough to leave a lasting impression, so their existence is not fully confirmed.
Welcome to The Register then. Hope you come in peace.
Unless someone in management asked Flash to do this then he's way out of line and should be fired. I'd also advise Flash to find an IT job that does not put him in a position to access his co-workers personal data as it looks like he has some serious issues with respecting boundaries.
I'd love to know what's wrong with letting mail bounce. Why on earth did Flash feel the need to set up a 'catch-all' account? While I'm at it, why would anyone want to manually route email?
I imagine that Flash is/was fresh in the job. I remember that when I was new, I was eager to please while at the same time heady with the responsibility. And aware of how difficult it is to get a decision out of management.
Rather than ask what to do with misaddressed email and still be waiting for a decision when I retired, as an eager to help people young IT professional, I might have done what Flash did.
Of course, when the inevitable saucy email arrived, I would turn it all off again and let it bounce and pretend I hadn't done nothin...
I'm rather disappointed at the lack of BOFH potential in this threat. And the lack of people who voted for "blackmail both parties". Personally I would have voted for having the email projected onto the front of the building in foot high letters, but that option was mysteriously missing...
Then again, the BOFH would never have foolishly created extra work for himself. And simply set up an search of the email database to bring any interesting or useful items to his attention automatically.
> the BOFH would never have foolishly created extra work for himself
A true BOFH would set the defaults so that incorrectly addressed internal mail would go to everyone. That way it would be sure to end up in the right person's email (and all the wrong people's, but that's FH-ism for you).
Where's the ethical dilemma then? Married or not makes no difference. Using company email for private purposes is nothing. It's a bit iffy though that he reads emails not meant for him. Those emails should bounce as they are required to do, so the sender updates their email details. He should stop trying to fix up those cases when there's a well defined protocol for it.
Perhaps she would have become the love of his life? But he was spurned when she didn't answer his email!
Humans are biologically programmed to want sex and fall in love. And seriously do you think married men and women don't fall in love/lust??
I remember I used to go to conferences with this woman, a smart beautiful woman, who was in a relationship. I was crazy about her anyway.
There would always be an icebreaker at these things, and people would hook up.
One time she mentioned she'd be going to the Manchester thing, and her boyfriend wouldn't be going. I got my hopes up high. At the icebreaker, I hit on her all night, made a total ass of myself. At the end of the night most people had gone to bed, just me, her and the organizer, a notorious womanizer, were left. He'd obviously struck out that night since he was alone. I was determined not to strike out.
I saw the room allocations, he was on floor 3, me on floor 4, her on floor 5. We went to the lift together.
So he will get out on floor 3, and I would have 1 floor, 1 last chance to get her. What would I say? How would I convince her to come to my room? If I failed, I'd be too embarrassed to look her in the eye again, I'd burned all my bridges. Would I even have the nerve to say it?
So what did I say?
Well the lift opened at floor 3, and she and the organizer got out of the lift and headed to his room.
Ouch.
Well the lift opened at floor 3, and she and the organizer got out of the lift and headed to his room.
And after the lift doors had closed she thanked the organizer for helping her get rid of the annoying guy who'd been hititng on her all night, and headed back to the lift to go to her room.
I suspect the admin had the best of intentions at the time. There was a time email was newish and he probably thought he was helping people out by fixing typoed email. I doubt he was thinking it would be a problem getting work related emails and sending them on their way.
Me? I'd nuke it and then consider if I want a catch-all anymore. Maybe just check the mail logs and add some alias for some common problems. It is easy to be the armchair general with hindsight though.
I've had that live for about a week for test purposes, and the amount of crap that gets thrown at an email gateway to deliver spam, malware and ads for "medicinal" products ended that test quite rapidly.
May all spammers suffer accidents involving their genitals and nail guns. Repeatedly.
Flash it not the moral police so just keep his beak out. Consider this outcome:
Flash forwards the email to recipient, recipient is not happy with email and reports it , sender quite rightly says that he did not send it to them, Flash in the poo right up to his neck.
What a decent person would not have done is to mention the details to anyone so much better to bounce and not be such a nosey bugger.
The only rule is to deal with it and don't talk about it.
Rule number 2 clearly broken by this admin.
By dealing with this problem by hand the problem will also escalate as people will not update their address books as the "system" fixes it all the time. Bad move pal.
So why in the name of god are you not teaching your users to fish? Collecting mis-sent emails and forwarding them on is an exercise in futility. I have valuable time to be spent trawling the web for photos of cute kittens that would be *seriously* inconvenienced if I spent my time re-addressing email all day.
Delete it and ignore it, and just start bouncing email (especially for internal only!) emails back when they screw up the address. For externals, you can bounce or drop as you see fit.
As agreed, if this guy has enough time to trawl through spam then he has way too little to do...
I personally wouldn't have set myself up in his role and have all miss directed mail going into the big mailbox in the sky... even if management asked me to perform said task is explain the futility of it...
but this isn't what is being asked... and who knows what id have done at finding such a mail item - all depends on how the wind is blowing... but while we are thinking about morals, id probably find myself chatting to a certain female employee a little more often!!!
Is to catch the spear phishing emails aimed at your important staff.
Running a check for mail from/to an address very similar to the corporate email domain and originator/recipient of a staff member could catch a major phishing attempt.
Downside is that you would pick up all sorts of other crap as well then have to deal with it.
For mis-addressed emails, just read the headers then send a message to the originator saying you are holding the message (in one hand, with one of your bodily extensions in the other) and can they confirm the recipient. Or, better, can they re-submit. With more detail. No - bad idea. Still.......
This assumes that (as others have suggested) you haven't been forced to do what mail rooms used to, and correct obviously wrong addresses.
... by the apparent lack of BOFHness amongst you all.
I mean, you've practically all stated that you'd delete the email and pretend nothing happened rather than resort to blackmail or extortion?
Fer chrissakes, grow a backbone and charge up the cattle prod, the lot of you.
The email had been something the admin really shouldn't have read, for compliance or confidentiality reasons? He'd at least have broken company policies, if not the law. And he'd have known as much from the legal disclaimer text that every company insists on putting at the bottom of its email. He's lucky he kept quiet
1346 of you, and counting, chose this:
"Delete the mail and hide the secret forever"
It's Friday afternoon - let your imagination go wild.
Where's the option to "Blackmail both parties for money and sex, then frame each for the other's murder and watch from the public gallery as they get sent down" ? Now that's an option.
Where's the option to "Blackmail both parties for money and sex, then frame each for the other's murder and watch from the public gallery as they get sent down" ? Now that's an option.
If they've murdered each other, how can they be sent down ? It's like asking where you bury survivors.
I've been in some situations involving sensitive information. I would not have read the email. I would have forwarded it as routine business.
What's in the email is none of my business. However there was one situation where I did say something, it involved classified information being collected by a person that had no need to know, I stumbled upon it while doing maintenance and certainly reported it. I don't know what became of the "suspect" I never saw him again.
When I first started working for "A Very Big Company" - this is the days before the internet - the "perk" was a company car, which everyone in the service department had, but since it was a "company car" and we were just workers any of the bosses could requisition our cars if their car was in the shop.
The Sales Director took my mates car one day (his was in the shop and he and his secretary had to go to a meeting in London) - he returned it the next day, but there were two small holes in the ceiling liner, aligned with the imprint of a pair of shoes, one on either side of the ceiling above the rear doors.
We all had a good giggle about it but there was no other evidence and if we'd said anything, we would have got the blame. And, whatever the evidence might suggest, there was no way to actually KNOW what happened - as in this article, you can guess what may have happened but you can't know, and I think most of us here realize how easy it would be to spoof a similar email complete with matching headers and log entries.
Two questions here: whether to run a typo/fwd service at all, and who sets standards for acceptable use of email and monitors them. The mistake was to connect the two.
If you are in the business of #1, my opinion is that this is all you do. You don't set the standard, you don't monitor content, etc. Apart from anything else, you reduce your personal legal and moral responsibility.
If you are in the business of #2, then org policies need to be in place to tell users that emails are monitored, not private etc. And ideally you want most of the work filtering to be done by machine, otherwise you end up with some petty BOFH who knows everyone's secrets.
Returning to the first case, supposing you saw an email that read, "I am going to <anglosaxon> you so hard you won't be able to walk." Is that a threat of assault? Or a mash note? If you treat it like the second but it turns out to be the first, you could be blamed for knowing a crime was about to take place and not doing anything about it. Steer well clear.
It's the equivalent of assisting a user to move folders on a server or helping them clean out their desk. Don't look in the folders or the bottom drawer of the desk. Never.
Now if the legal department, security, HR, etc. produce a signed document telling you to look, that's a different story.
My response is not listed as an option. I would have left the message where it was and told the sender that while I am not the morality police, I am the network (or at least e-mail) police and he should not be using the corporate mail for these kinds of messages. These kinds of messages can come back to haunt you in the form of a harassment suit.
I'd just correct the address and forward the mail. But I'd also put out periodic broadcast 'administrative' emails that would remind people that a) mail content is not private b) all mail traffic is archived (it has to be for legal reasons) and c) everything you send on a corporate email server belongs to the company.
Its a roundabout way of telling people that 'lewd, lascivious and illegal content should be kept off corporate email systems because there's a high chance it will bounce back and bite the people communicating". This isn't being the morality police, its just reminding people for their own sake.
I discretely told the recipient that kind of mail was not acceptable, and that I was not going to say anything to anybody this time and to make sure it doesn't happen again because I was not going to lose my job over it.
I could do nothing about the sender as they did not work for the company. However, the problem was resolved.
Flash must work for a small business, so catching all the mis-addressed email from existing or potential customers may well be vital for the financial future of the company.
I make the assumption it's a small business because corporates usually have an A4 equivalent (at least) of legal disclaimer as a sig on all company emails loudly claiming, amongst other things, that "this email is only to be read by the intended recipient blah blah blah" in which case if the "intended recipient" can't be identified with 100% certainty from the To: address alone, then it should be bounced or blackholed as per the "legal disclaimer" included.
You missed the option to forward it to someone else on the company email list, preferably someone with a similar enough name. I occasionally get email for the person whose name appears below mine in the company directory although never in the category described in the article.
Then I'd remove the email catch-all and let the stuff bounce back to sender to teach them to type it properly. It's a minefield to be party to the email of others without an official policy and you're better to just not go there. Hell, paved, intentions, good and all that.
One place I worked at had exactly two people in their address list with my surname. I appeared as Andy and the other chap appeared as Andrew.
Senders assumed that because the mail system had not complained about what they had typed, then it must have been right. They ignored the filling-in bit, which showed UK in my address, and AU in his.
So he ended up forwarding things about IT, and I forwarded things about his line of work. We added comments telling each other a little about ourselves, and promising that if either was passing the other, then beer would be involved.
So one day I turned up in the office in Brisbane, and announced to the receptionist "Andy A to see Andy A".
After a tour of the office, beer WAS involved.
My view would be that "Flash" is obviously green. I did email work in the accounting end of the entertainment industry( not adult entertainment, but entertainment by and for adults). The mix of a lot of money, perceived "power" and a whole lot of very attractive people in the office (excepting my IT crew) meant there was a lot of pelvis bumping happening both intra-office and with just about any other human with a heartbeat. As a result, and we seemed to get sued regularly, and fairly often. Other things like malfeasance and other bean counter foibles meant we did quite a bit of suing in our own right as well.
As a result, about every month I would get called into the Big Boss's office, our counsel would be in there, and the ominous words "Shut the door behind you" would begin the conversation....followed up with "We need every e-mail to, from or about so and so..."
Counsel specifically did NOT want me scanning for content...because, if we had to litigate, she much preferred for my testimony to be limited to how the evidence was obtained. We would hand off the data, unfiltered and completely to her e-Discovery team and THEY would do the snooping.
This was very workable all the way around. Initially in one of the the Big Boss did want to use the IT org to do the e-Discovery to save the money. Counsel shot that down that if we ended in court the other side would wrap me around the axle on methodologies I had used in the e-Discovery process. I then piled on with my ethical objections that counsel agreed with.
The conversation ended with big boss getting a mini lecture from counsel that my position of "Don't read things not intended for you" was proper and defensible, and that since I did not have the legal training to discern the difference between "Malfeasance" and "Just being a dick" I should stick to that policy,
Being single myself, I think I would have made a note of the people involved in my little black book for future possible dalliance (assuming that would align with your moral/ethical compass).
A bit of inside knowledge never went astray.
(Mines the one with the little black book in the pocket.)
I had two similar things happen, I used to release the quarantined emails on our IronPort's.
One morning an email was stuck for our State Sales Manager, we used to check why the message was quarantined as usually it was just the profanity filter, boy did I get a surprise when the embedded image of his wife came up, for a woman in her late 40's she was seriously hot.
I spoke to him quietly about it and mentioned it was best not to send personal emails using his work email, I could do this because I had a very good rapport with HR, CEO, CIO and CFO and they knew I don't muck around.
The next one was a few months later when one of the junior sales ladies sent an email to the same Manager detailing what they did the night before.
That one got deleted, however I sent a company wide email to all staff advising them as per policy, that whilst we did allow some personal use, we had been receiving emails lately that were not acceptable and as we do check quarantined emails to find out why they get stuck and as people tend to blurt everything out in the first lines of the email, that we really didn't need to know some of the things that we had found lately.
Suffice to say, I had no problems after that.
If you set yourself up as the kind of admin who redirects mail, you have to redirect it. There's nothing illegal going on, and flagging it up as a violation of company policy on computer use is obviously messy and unnecessarily complicated. The right answer is obviously to stop nannying your users and let their emails vanish into the void. Teach them how to look up email addresses and check their sent items and then just leave it the hell alone.
The implied moral quandary over being complicit in an affair between two adults is so absurdly puritanical, I can't help but wonder if the admin worked in some kind of hyper-zealous bible sales business.
Depending on company e-mail usage policy (which in any sensible organisation would specify that company resources are subject to possible scrutiny, and also dictate that communications should be within certain bounds - including, but not limited to obscenity, illegality, etc.) as a mail admin, people should assume that the mail admins have legitimate access to all incoming and outgoing mail anyway. The option I would go for is noticeably absent from the poll - a quiet word in the sender's ear to knock it off and/or take it out of the company system, because otherwise sooner or later they're going to get burnt. Now, if company policy DOESN'T expressly allow for scrutiny, then your boy has a problem, because no matter the intent, intercepting e-mail is a no-no, and without permission he shouldn't be doing it.
What puzzles me is how internal mail users could get the address wrong in the first place. Don't they use some kind of address book or company directory?
Couldn't it be argued that *all* data (email or otherwise) on their servers belongs to the company? For example, if your job title is programmer or developer and you write an app for the BBC (for example) the Beeb has the copyright to it and not you. I'm told what I can and can't do in my contract.
I think this is different for external and (genuine) internal e-mail. (I've had spam "from" my own address, presumably used because assumed to be whitelisted.)
External e-mail is likely to benefit the business, even if it's just social. it should be delivered as the sender intended.
Having reflected on the unwanted harassment question, internal e-mail should return to sender, with a covering message that looks like an automated response, but with a hint of doubt. If they want to correct it and send it again, that's up to them. If they're ashamed to, that may be for the best.
I quite often get e-mail intended for a colleague with the same forename, but it is almost never as much fun as the case described.
A user once made a formal complaint about me, claiming that I was spying on his e-mail.
"Of course I'm not spying on you", I said. "You're just not that interesting !"
[Cue sound of an ego going "POP! Pfffffffttttt !"]
When I worked in an office job (before e-mail was invented) (yes, I am retired now) I had an episode like that. We were clearing out a store room and I came across an old briefcase, which rattled, and was locked. Our orders were to throw such things out but I thought I should first find out what was inside. The three-wheel lock on the cheap briefcase was easy enough to fiddle in my lunch break (didn't even have to brute-force it by the numbers). Found discussion papers from a long-past interstate conference, and the used airline ticket of the one who attended the conference, and half a packet of condoms. So I closed it and left it in the boss's office. In that case the moral issue was moot, because the traveler was my boss. Never heard another word about it.