[Dshield] Exchange Open Relay

Deb Hale haled at pionet.net
Mon Mar 6 12:46:10 GMT 2006


David and all - I want to give some food for thought on this subject.  

I don't like and don't use out of office messages and discourage the use of
them.  Here is just one of the reasons why.  Real life story.  Names
withheld to protect me. :)

Several years ago I worked for a large corporation in data processing.  Our
control center was located in another state, so when a password was
forgotten or ...  We had to call to XYZ to get the password reset.  I was
the one responsible for this part of the process for our location.  I went
on vacation and put an OoO that indicated that I was out of the office and I
would be unavailable. Gave the phone number and name of the person taking my
place, and also gave the phone number of the support center.  Well when I
got back I found out that someone had attempted to call the support center
to get my password changed, luckily the person at the support center knew I
was gone.  I also found out that this same time they tried to get the
managers password changed and were successful.  I realized then that I had
given way too much information to the bad guy.

Another for instance, a friend of mine nearly lost his job because of a
social engineering incident that happened to him.  Someone knowing that he
was not in the office, called and pretended to be him and told them he had
forgotten his password. The password was reset, his userid was logged onto
and changes were made in some reports.  When it was discovered that the data
had been changed about 2 weeks later and an audit was done they discovered
that "he" had changed the data.  He was about to be fired when he finally
was able to convince them to look at the OoO calendar.  They through
investigation found out who it was that had done it, when questioned about
the incident, the "bad" guy stated that he knew my friend was out and he
wanted to use that opportunity to get "even" with him for something that had
happened a few weeks earlier.  

OoO messages make it easier for the social engineers to know they have an
opportunity.  Now I know that some of you will probably say that this only
happens when the security is weak.  You are right, but how many REALLY have
strong security policies.

Just my thoughts.

Deb  

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of David Taylor
Sent: Sunday, March 05, 2006 12:16 PM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] Exchange Open Relay


>
I do not understand why you would object to some one monitoring your email
while you are on vacation.  So what good does it do to have a customer get
an out-of-office message when they want to do business with your company
while you are on vacation?
<

There are a lot of reasons I don't want someone to monitor my email for me
while on vacation.  Privacy is one (which is a big thing at a lot of
universities). The good that an out of office message to one of my customers
is letting them know that I am not in the office. "I will read your email
when I get back.  If this is urgent please contact blah at blah". It is too bad
that people use OoO to send spam but I don't think that this should label
all OoO as spam.  

As far as SPAM goes I think it was originally supposed to mean bulk
unsolicited messages.  It seems the definition has changed a bit in recent
years. Maybe there should be a new term used to describe unsolicited
bounces/OoO. With all the email I get in my inbox from being in a University
security office I rarely get OoO messages.  Maybe I just don't see it as
being a big problem.

http://en.wikipedia.org/wiki/Spam_%28electronic%29
"Spamming is the abuse of any electronic communications medium to send
unsolicited messages in bulk."

==================================================
David Taylor //Sr. Information Security Specialist University of
Pennsylvania Information Security Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
================================================== 

SANS - The Twenty Most Critical Internet Security Vulnerabilities
http://www.sans.org/top20/

SANS - Internet Storm Center
http://isc.sans.org

irc.freenode.net #dshield
http://freenode.net/



-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Abuse
Sent: Saturday, March 04, 2006 9:45 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Exchange Open Relay


** Reply to message from "David Taylor" <ltr at isc.upenn.edu> on Sat, 4 Mar
2006
15:18:10 -0500

> Out-of-office should only be used internally within a company.  If you 
> can not guarantee to not spam anyone using out-of-office then do not 
> use
it
> to
> external sources.  If you can not guarantee to not send an 
> out-of-office message to a mailing list then do not use it to external
sources.
> 
> 
> I don't think there is a lot you can 'guarantee' on anything nowadays...

Right!  That is why I think that spamcop is correct in listing spam sent via
out-of-office messages.  Also why I think out-of-office messages should only
be used internally within a company.


> I don't agree with OoO messages being only used internally.  If I go 
> on vacation I need to let people know that I am Out of the Office.  
> Why is
this
> only supposed to be used for internal situations?  I don't understand
that.
> How can you get by this?  I have no idea.  If I go on vacation I do 
> NOT
want
> other people on my team to access and mange my email while I am gone.  
> I
do,
> however, want to let people know that I am out of the office if they 
> send
me
> an email.

I do not understand why you would object to some one monitoring your email
while you are on vacation.  So what good does it do to have a customer get
an out-of-office message when they want to do business with your company
while you are on vacation?


> I'm really pissed off at SPAMCOP for accepting out of office responses 
> as SPAM.  I think they are going a bit too far with this.

Why do you think I like to get out-of-office spam sent to me?  I get enough
spam sent directly to me without someone else sending me more spam via an
out-of-office message.
_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list