OoO notices, was Re: [Dshield] Re: security.scan.sec.rr.com

John Groseclose iain at caradoc.org
Sat Jun 21 04:58:07 GMT 2003


At 9:59 PM -0500 6/20/03, Ed Truitt wrote:
>On Fri, 2003-06-20 at 12:42, John Groseclose wrote:
>[snip]
>>  On another topic, can we get the people who set their "Out-of-Office"
>>  notifications to reply to list postings booted? It's rather annoying to be
>>  getting "Out-Of-Office" notices for each post to the list.
>[snip]
>While it would be a nice idea, the email admins at some of our employers
>(mine is one such) have configured Out of Office to reply once to each
>sender - regardless of whether it is internal or external, individual or
>list.  And, we can't change the settings.  In my employer's case, it was
>done for the convenience of said email admin team.
>
>Needless to say, I have NEVER used the OoO feature of my corporate email
>system, and I don't subscribe to DShield from that email, to prevent
>such boorish behavior on my behalf from occurring.

Hmmm. In some offices, sending an Out-of-Office notice to a non-local 
address is a violation of their security guidelines (I currently work 
in one such office.)

In a largish organization, an Out-of-Office sent to the wrong person 
is an open invitation to social engineering.

If, for example, I were to do a bit of research on those people 
who've been sending me Out-of-Office notices, I would probably find 
it fairly easy to convince someone at any of their respective 
organizations to give me more information than I should be allowed, 
or possibly even to change a password for me ("Hi! This is 
$OUT-OF-TOWN-EMPLOYEE. I'm out of town, and I can't seem to get my 
e-mail to work... Can you fix that for me? Oh, certainly, 
$NAME-OF-SECONDARY-CONTACT can vouch for me.")

Not only am I receiving messages that tell me certain persons are 
Out-of-Office, but they even provide the names and phone numbers of 
their backups to anyone who sends them e-mail. Dumb. Very dumb.

Were it up to me, anyone who claims to be an "e-mail admin" and sets 
up such a system should be strung up by his or her thumbs and stroked 
generously with a knout.
-- 
John Groseclose
iain at caradoc.org




More information about the list mailing list