Forward Email Without Sender Knowing


I have a major problem, I believe one of my employees is sending our proprietary information to his business partner. I also believe that he is sending it with our company email.

My question is, is there a way to automatically forward all of his emails that he sends out to my partner’s email or my email without him knowing? Since all the applications that he uses is the property of the company we did a quick audit of his email, and found nothing due to him clearing it out every time he sends an email out.

Can anyone help?


There is probably “a way” to do almost anything if you are willing to jump through enough hoops, but given the ready availability of email accounts, I think “automatically” getting a “copy” of every email he sends “forwarded” to you is likely to be problematic. :wink:

There are several things you can try, including a general purpose keylogger, but whether you can do this “without him knowing” is questionable, and depends greatly upon his, and your, technical expertise.

To beg the obvious question: if you cannot trust this employee with information to which he has access, why do you continue to allow him to have access to sensitive information?

To my thinking, having worked in corporate security environments most of my adult life, I think I’d attempt to deal with this problem another way - and consider consulting a labor/intellectual property/trade secrets attorney before proceeding any further. :wink:

I realize that may not be the question, or suggestion, you are hoping to hear, but it is the best I can offer in good conscience.



Spoke with an IP attorney, they want to build a case against him with evidence… Key loggers can easily be found… need something secure.


The only thing I can think of is that you may be able to do it somehow using the rules in Microsoft Outlook (if he’s using that to send the emails out). Not sure if they have a rule for it but it may be possible to setup a rule so that everytime an email is sent out you get bcced on it.

$50 Discount 1LUCID50 Sign up now


They generally do (want to build a case with evidence). The questions I would ask, from a business decision perspective, are along the lines of:

  1. A criminal or civil case?

  2. Are there assets that you can reasonably expect to recover that exceed a) the cost of the investigation, b) any potential additional damage to the company while the investigation is being conducted, and c) sufficient to defray to legal expenses associated with either criminal or civil prosecution?

  3. How disruptive would it be to your ongoing primary business to allow this situation to continue throughout an investigative period to gather evidence?

  4. What reasonably expected outcome of such an investigation would be required for it to make business sense to build a case rather than to eliminate the problem and get back to your primary business.

  5. Or is it “personal”, and you really want to see “justice done” whether or not it makes business sense?

What is your budget?

Do you, or trusted associates, control the corporate computers via a LAN or other networking strategy?

Are your corporate information security practices sufficiently robust to prevent this employee from disseminating information using his own equipment,possibly from outside the workplace; can the employee remove sensitive data from the workplace?



I suggest you to try EmailObserver. You can find the information and download link for trial-version of this program here. With a help of this program you’ll be able to forward all the emails sent by your employee to the specified email address.


After having talked to an attorney about the sticky issues involved with this, the technical stuff is not that hard.

Capture all traffic to- and from his workstation using either the capabilities of your router, or by injecting a device for that particular purpose into the network (it’s not too hard to do that with a bridging Linux host, for instance). If said employee uses unencrypted SMTP sessions (and (un)fortunately, most people do), you can just read the cleartext of whatever leaves his workstation. Hardware required : none (if your router already supports this kind of stuff) or a linux box with 2 nics and a bridging interface set up.

If the SMTP connections are encrypted and you control the mailserver on the other end, just have the mailserver hold on to mails being sent for longer than is strictly necessary. (In some countries, this has strong legal implications that can land you in jail, so again, TALK TO YOUR ATTORNEY). If your email host is dreamhost, you do not have full control over your mailserver, and you won’t be able to easily do this kind of thing. In all other cases it’s technically feasible (and the amount of work needed to do it depends on what MTA you use).

If the SMTP connections are encrypted and you do not control your mailserver, you are out of luck. Try a rootkit, but your employee will eventually catch on to that sort of stuff.

Keyloggers do not have to be in software. Most people will not check for a little blob in their keyboard cable before using their computers. If you use wireless keyboards, talk to a local hacker about how to capture those signals. If you can tamper with the hardware without your employee knowing and you have a bit of a budget, you can also install a PCI card to log activity.

If your email client is an open-source one (such as thunderbird) and regular upgrades are expected and nothing out of the ordinary, you could just compile your own Thunderbird with some nifty added internal functionality that’ll make sure you get a copy.

What do you mean by “finding nothing due to him clearing itout every time he sends an email out” ? Have you done some forensic analysis on the harddrive ? It’s entirely possibly that those “delete” files still reside on the disk but are just inaccessible from the filesystem. Decent computer forensics people cost some money to hire though, and doing this convertly would be a cloak-and-dagger operation.

Whether or not any of this will lead to (admissible) evidence is in the stars, and also influenced by the savvy your rogue employee displays. Any and all of these measures can be thwarted with due diligence. Fortunately for you, most people don’t even know what they’d need to thwart, so there is a decent chance you’ll be successful if your target isn’t a prototypical hacker.

If you are sure this is worth the work you are putting into it (seeing as you might well be in an at-will employment state and can just fire the guy without giving a reason), good luck.