Out of Office AutoReply = Security Risk to Your Company.

David J Dachtera djesys at comcast.net
Wed May 18 00:38:19 GMT 2005 

I sincerely doubt that anyone could convince a corporate entity to disable
any feature of their beloved LookOut! -  not the Out of Office wizard, not
the prevue pane (portal for many mail-borne viruses/worms/trojans), not
HMTL e-mail (malicious payload enabler), ...

D.J.D.

At 08:04 AM 05/17/2005 -0400, John E. Malmberg wrote:
>Folks,
>
>Convicted criminals have stated that they use these messages on phones 
>and probably now e-mail to steal from companies.  They have stated that 
>the easiest way to steal from a company is to impersonate the identity 
>of someone known to be out of the office.
>
>Some of these criminals have made the headlines of the traditional press 
>with these exploits because the thefts have been with very high amounts.
>
>IIRC: On U.S. TV, a demonstration was done where the tester was able to 
>get the dialup phone numbers and a senior (VP level) employee's login 
>account and password reset, all the while that the employee was trying 
>to demonstrate that their system was secure from skilled hackers on that 
>same TV show.
>
>Secret prototypes have been stolen, along with confidential documents.
>And the dollar amount has been in the high thousands, if not in the 
>million dollar range from just one of these criminals.
>
>I strongly recommend just turning off the out-of-office feature completely.
>
>In addition to the security problems, these messages will auto-respond 
>to forged addresses in spam and viruses, and this turns your mail server 
>into a participant in a denial of service attack on the rest of the 
>Internet.
>
>Most corporate mail systems allow mail to be temporarily read by a 
>secondary trusted user.  Use that method instead.
>
>If you have any influence with the security policy of your company, get 
>these auto-responders banned, and the same for having any phone messages 
>that indicate how long your identity can be spoofed with no one at your 
>company being able to easily reach you.
>
>Essentially these messages are now the same as not stopping your news 
>and mail delivery while on vacation.
>
>And mailing list traffic is clearly marked so in the headers, so any 
>auto-responder that responds to them is not compliant with RFC standards.
>
>In addition to the messages to this list, I got two messages from broken 
>auto-responders from my last post.
>
>-John
>wb8tyw at qsl.network
>Personal Opinon Only
>
>PLEASE READ THIS IMPORTANT ETIQUETTE MESSAGE BEFORE POSTING:
>
>http://www.catb.org/~esr/faqs/smart-questions.html

More information about the samba-vms mailing list