Out of Office AutoReply = Security Risk to Your Company.
John E. Malmberg
wb8tyw at qsl.net
Tue May 17 12:04:06 GMT 2005
Folks,
Convicted criminals have stated that they use these messages on phones
and probably now e-mail to steal from companies. They have stated that
the easiest way to steal from a company is to impersonate the identity
of someone known to be out of the office.
Some of these criminals have made the headlines of the traditional press
with these exploits because the thefts have been with very high amounts.
IIRC: On U.S. TV, a demonstration was done where the tester was able to
get the dialup phone numbers and a senior (VP level) employee's login
account and password reset, all the while that the employee was trying
to demonstrate that their system was secure from skilled hackers on that
same TV show.
Secret prototypes have been stolen, along with confidential documents.
And the dollar amount has been in the high thousands, if not in the
million dollar range from just one of these criminals.
I strongly recommend just turning off the out-of-office feature completely.
In addition to the security problems, these messages will auto-respond
to forged addresses in spam and viruses, and this turns your mail server
into a participant in a denial of service attack on the rest of the
Internet.
Most corporate mail systems allow mail to be temporarily read by a
secondary trusted user. Use that method instead.
If you have any influence with the security policy of your company, get
these auto-responders banned, and the same for having any phone messages
that indicate how long your identity can be spoofed with no one at your
company being able to easily reach you.
Essentially these messages are now the same as not stopping your news
and mail delivery while on vacation.
And mailing list traffic is clearly marked so in the headers, so any
auto-responder that responds to them is not compliant with RFC standards.
In addition to the messages to this list, I got two messages from broken
auto-responders from my last post.
-John
wb8tyw at qsl.network
Personal Opinon Only
More information about the samba-vms
mailing list