[Dshield] Exchange Open Relay

Stef stefmit at gmail.com
Sun Mar 5 17:14:53 GMT 2006

On 3/4/06, Abuse <abuse at what4now.com> wrote:
> ** Reply to message from "David Taylor" <ltr at isc.upenn.edu> on Sat, 4 Mar 2006
> 15:18:10 -0500
> > Out-of-office should only be used internally within a company.  If you
> > can not guarantee to not spam anyone using out-of-office then do not use it
> > to
> > external sources.  If you can not guarantee to not send an out-of-office
> > message to a mailing list then do not use it to external sources.


> Right!  That is why I think that spamcop is correct in listing spam sent via
> out-of-office messages.  Also why I think out-of-office messages should only be
> used internally within a company.

... just to add a little to the fact that I already agree with the
above is that I would choose a somehow non-traditional approach toward
this: if not able to discuss the logic of such, especially with the
Sales Force ("we could loose customers if we do not allow OoO ...
bla,bla ..."), I would enable temporarily the OoO replies, and then I
would write a script to use all known email addresses in the company,
then log the OoO replies. I would take all such and demo to the
Executive level how one could use the info that people carelessly
leave in their OoO ("in my absence call or email <this person>, who is
supposed to follow-up in my absence"), and how I would be able to
place fake orders, as known and trusted customers (not difficult to
figure them out), of even high financial magnitude, by approaching the
people *left in charge*. Of course I would emphasize the fact that -
as a competitor - I would be very much interested in launching a
S(ales)DoS as such ... 'nough said

DISCLAIMER: my company has highly trained, extremely understanding
Sales people, especially toward the requirements of IT - so none of
what I described above would be needed to allow our security group to
limit various aspects of what modern technology provides, including,
but not limited to OoO ;>

My $0.02,

More information about the list mailing list