Out of Office AutoReply = Security Risk to Your Company.

John E. Malmberg wb8tyw at qsl.net
Tue May 17 12:04:06 GMT 2005 

Folks,

Convicted criminals have stated that they use these messages on phones 
and probably now e-mail to steal from companies.  They have stated that 
the easiest way to steal from a company is to impersonate the identity 
of someone known to be out of the office.

Some of these criminals have made the headlines of the traditional press 
with these exploits because the thefts have been with very high amounts.

IIRC: On U.S. TV, a demonstration was done where the tester was able to 
get the dialup phone numbers and a senior (VP level) employee's login 
account and password reset, all the while that the employee was trying 
to demonstrate that their system was secure from skilled hackers on that 
same TV show.

Secret prototypes have been stolen, along with confidential documents.
And the dollar amount has been in the high thousands, if not in the 
million dollar range from just one of these criminals.

I strongly recommend just turning off the out-of-office feature completely.

In addition to the security problems, these messages will auto-respond 
to forged addresses in spam and viruses, and this turns your mail server 
into a participant in a denial of service attack on the rest of the 
Internet.

Most corporate mail systems allow mail to be temporarily read by a 
secondary trusted user.  Use that method instead.

If you have any influence with the security policy of your company, get 
these auto-responders banned, and the same for having any phone messages 
that indicate how long your identity can be spoofed with no one at your 
company being able to easily reach you.

Essentially these messages are now the same as not stopping your news 
and mail delivery while on vacation.

And mailing list traffic is clearly marked so in the headers, so any 
auto-responder that responds to them is not compliant with RFC standards.

In addition to the messages to this list, I got two messages from broken 
auto-responders from my last post.

-John
wb8tyw at qsl.network
Personal Opinon Only

More information about the samba-vms mailing list