In late December, 2010, a single e-mail allegedly written by Gregory D. Evans was leaked to pastebin. The mail outlined new company policies that were draconian and ridiculous. Because the e-mail could not be verified as authentic, attrition.org did not originally publish it. With the leak of his entire e-mail spool recently, we see that the mail is included in it and very likely came from Evans.
Received: (qmail 14155 invoked from network); 9 Dec 2010 04:13:14 -0000 Received: from unknown (HELO p3pismtp01-009.prod.phx3.secureserver.net) ([10.6.12.9]) (envelope-sender <SRS1=bounce.secureserver.net=T+v7=TI=ligatt.com=gregoryevans@bounce.secureserver.net>) by p3plsmtp04-03.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <pfalu@ligatt.com>; 9 Dec 2010 04:13:14 -0000 X-IronPort-Anti-Spam-Result: As4BAJLm/0xIp9qikWdsb2JhbACjaRYBAQEJCwoHEQMmwDICgnSCUwSEYoYPgy4 Received: from p3plsmtp04-04.prod.phx3.secureserver.net ([72.167.218.162]) by p3pismtp01-009.prod.phx3.secureserver.net with ESMTP; 08 Dec 2010 21:13:14 -0700 Received: (qmail 20957 invoked by uid 1000); 9 Dec 2010 04:13:14 -0000 Delivered-To: yourteam@ligatt.com Precedence: bulk Received: (qmail 20954 invoked from network); 9 Dec 2010 04:13:14 -0000 Received: from unknown (HELO p3pismtp01-016.prod.phx3.secureserver.net) ([10.6.12.16]) (envelope-sender <SRS1=bounce.secureserver.net=T+v7=TI=ligatt.com=gregoryevans@bounce.secureserver.net>) by p3plsmtp04-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <yourteam@ligatt.com>; 9 Dec 2010 04:13:14 -0000 X-IronPort-Anti-Spam-Result: As4BAKLl/0xIp9qikWdsb2JhbACjaRYBAQEJCwoHEQMmwDoCgnSCUwSEYoYPgy4 Received: from p3plsmtp04-04.prod.phx3.secureserver.net ([72.167.218.162]) by p3pismtp01-016.prod.phx3.secureserver.net with ESMTP; 08 Dec 2010 21:13:15 -0700 Received: (qmail 20939 invoked by uid 1000); 9 Dec 2010 04:13:14 -0000 Delivered-To: xxxx@ligatt.com Received: (qmail 20927 invoked from network); 9 Dec 2010 04:13:14 -0000 Received: from unknown (HELO p3pismtp01-013.prod.phx3.secureserver.net) ([10.6.12.13]) (envelope-sender <SRS0=T+v7=TI=ligatt.com=gregoryevans@bounce.secureserver.net>) by p3plsmtp04-04.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <xxxx@ligatt.com>; 9 Dec 2010 04:13:14 -0000 X-IronPort-Anti-Spam-Result: As4BACrl/0xIp9qhkWdsb2JhbACjaRYBAQEJCwoHEQMmwD0CgnSCUwSEYoYPgy4 Received: from p3plsmtp04-03.prod.phx3.secureserver.net ([72.167.218.161]) by p3pismtp01-013.prod.phx3.secureserver.net with ESMTP; 08 Dec 2010 21:13:14 -0700 Received: (qmail 14119 invoked by uid 1000); 9 Dec 2010 04:13:14 -0000 Delivered-To: companywide@ligatt.com Precedence: bulk Received: (qmail 14117 invoked from network); 9 Dec 2010 04:13:14 -0000 Received: from unknown (HELO m1pismtp01-013.prod.mesa1.secureserver.net) ([10.8.12.13]) (envelope-sender <gregoryevans@ligatt.com>) by p3plsmtp04-03.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <companywide@ligatt.com>; 9 Dec 2010 04:13:14 -0000 X-IronPort-Anti-Spam-Result: AiQCAIfj/0xAyqUki2dsb2JhbACjfwEBCgsKBw8FJsA9AoJ0glMEhGKGD4Mu Received: from smtpauth20.prod.mesa1.secureserver.net ([64.202.165.36]) by m1pismtp01-013.prod.mesa1.secureserver.net with SMTP; 08 Dec 2010 21:13:14 -0700 Received: (qmail 11198 invoked from network); 9 Dec 2010 04:13:14 -0000 Received: from unknown (69.94.218.141) by smtpauth20.prod.mesa1.secureserver.net (64.202.165.36) with ESMTP; 09 Dec 2010 04:13:14 -0000 From: Gregory Evans <gregoryevans@ligatt.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: New Company Rules In Affect Starting December 8 , 2010 Date: Wed, 8 Dec 2010 23:13:13 -0500 Message-Id: <4BD408C2-E831-41D0-83E7-F604086BAEDF@ligatt.com> To: companywide <companywide@ligatt.com>, yourteam <yourteam@ligatt.com> Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) X-Nonspam: IP whitelist 64.202.165.36 1. As of January 1, 2011 there will be no more medical or dental benefits for any employee who has been with LIGATT less than 2 years. If you are already getting benefit your benefits will be cut off January 1, 2001. 2. Any employee who is found opening the door for any employee with a door code between 8:45am and 9:20am will be fired. 3. Any employee who comes in the office 1 minute late more than 2 times in 1 week will be fired. 4. Any employee who does not meet their deadline or quota will be fired. 5. There will be no more pets allowed in the office beside LIGATT. 6. All pay checks will be handed out at 5:45pm on payday. 7. There will be know pay raises for at least the next 6 months. 8. All employees will work on Christmas Eve as well as New Years Eve. 9. There are no more vacation days for any employee who have been with LIGATT less than 2 years.
On February 1, 2011, Evans mentioned this mail in a video blog titled "Gregory Evans talking to his haters Part 1". At the 2m50s mark, Evans claims he was on an airplane to California at the time the e-mail was sent. He further claims that "every e-mail that I sent out, has my signature on the bottom of the e-mail. doesn't matter if it's to employees or whoever. my signature is not on there, whatsoever."
In reality, most of his e-mails do have the "Have a Blessed Day" signature with his contact information as he described, but not all of them. After the leak of his entire e-mail spool allowed further analysis of his mails, we see that mail sent from his iPhone or iPad do not have the signature. In addition, some mail sent from his Mac (using Apple Mail 2.1081) lack the signature as well. This effectively shoots down his claim that since the mail did not have his signature, it wasn't sent by him.
Further, the "New Company Rules" mail comes from the IP address 69.94.218.141 (DirecPath, a residential ISP in Atlanta, GA). Looking at his mail spool shortly after December 9, we see another mail sent to the company a week later that also comes from his Mac and has no signature:
Received: (qmail 16008 invoked from network); 16 Dec 2010 14:11:05 -0000 Received: from unknown (HELO m1pismtp01-008.prod.mesa1.secureserver.net) ([10.8.12.8]) (envelope-sender <SRS0=RIAr=TP=ligatt.com=gregoryevans@bounce.secureserver.net>) by p3plsmtp04-01.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <gregoryevans@ligatt.com>; 16 Dec 2010 14:11:05 -0000 X-IronPort-Anti-Spam-Result: AqgBAKaqCU1Ip9qfkWdsb2JhbACkNhUBAQEBCQsKBxEDIcFNhUoEhGWGGIMx Received: from p3plsmtp04-01.prod.phx3.secureserver.net ([72.167.218.159]) by m1pismtp01-008.prod.mesa1.secureserver.net with ESMTP; 16 Dec 2010 07:11:05 -0700 Received: (qmail 15957 invoked by uid 1000); 16 Dec 2010 14:11:04 -0000 Delivered-To: yourteam@ligatt.com Precedence: bulk Received: (qmail 15951 invoked from network); 16 Dec 2010 14:11:04 -0000 Received: from unknown (HELO p3pismtp01-027.prod.phx3.secureserver.net) ([10.6.12.32]) (envelope-sender <gregoryevans@ligatt.com>) by p3plsmtp04-01.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <yourteam@ligatt.com>; 16 Dec 2010 14:11:04 -0000 X-IronPort-Anti-Spam-Result: AocBAPOpCU1Ip1JSkWdsb2JhbACkSwEBAQEJCwoHEQMhwU+FSgSEZYYYgzE Received: from p3plsmtpa01-02.prod.phx3.secureserver.net ([72.167.82.82]) by p3pismtp01-027.prod.phx3.secureserver.net with SMTP; 16 Dec 2010 07:11:04 -0700 Received: (qmail 28885 invoked from network); 16 Dec 2010 14:11:04 -0000 Received: from unknown (69.94.218.141) by p3plsmtpa01-02.prod.phx3.secureserver.net (72.167.82.82) with ESMTP; 16 Dec 2010 14:11:04 -0000 From: Gregory Evans <gregoryevans@ligatt.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: stats Date: Thu, 16 Dec 2010 09:11:03 -0500 Message-Id: <F85062CF-D5AB-43E6-B113-A580BA36F139@ligatt.com> To: Melanie Banks <pr@ligatt.com>, LIGATT Sales <sales@ligatt.com>, accounting@ligatt.com, "yourteam@ligatt.com Support" <yourteam@ligatt.com> Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) X-Nonspam: IP whitelist 72.167.82.82 Status: O Content-Length: 597 Lines: 29 Starting this Monday everyone must bring stats to the company meeting. This includes PR 1. All google analytics from Google on hackergearonline.com, gregorydevans.com, ligatt.com, spoofem,amihackerproof.com and nationalcybersecurity.com. I need to see the stats on the number of people who came to the sites on the day we did a press release. IT 1. Apple aps stats on all of our apps. That includes all downloads. 2. Firewall stats on all of our servers including the godaddy servers. Accounting: 1. P&L Report Sales: 1. All Plimus 2. All D&H 3. All Microcenter
With this new evidence, we are relatively certain that Gregory Evans did send the mail, enacting draconian policies on his employees.