Out of office/vacation messages

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Jan 2 18:31:59 UTC 2004


On Fri, 02 Jan 2004 10:13:28 PST, "Rachel K. Warren" <rachel at plur.net>  said:

> Sometimes you have no choice but to run a Windows mail client - it's called 
> your company forcing you to a standard mailer.  It's not something I have 
> liked doing in the past, but having your management heavily disaprove of 
> using something outside of standard is usually not a good thing.

Wave the "security issue" flag at them on this one.  There's a number of good
security reasons to not use software that blabs in response to mailing list mail:

1) If this is a reply to a message from a mailing list that you usually "lurk"
on, your subscription to the list has just been revealed (probably to every
person who is posting - possibly to the entire list if your responder replied
to the list).

2) The fact you are "Out of your office" could reveal information to a hacker.

2a) The hacker now knows that you aren't watching your PC very carefully, and
thus it's possibly a better target for a hacking attempt.

2b) If the hacker has gotten a message "George Smith is at a client site until
Aug 30", he can try calling your company and saying "This is George.. I'm at
the client's site, and I can't get to the corporate net. Can you reset my
password so I can get the documents I need to close this deal?".  This is an
amazingly effective "social engineering" attack.

2c) The software most responsible for these errant messages is also well-known
for multiple security issues - and quite often even puts its exact version in
the X-Mailer header.  This allows an attacker to send you a malicious e-mail
message (specially selected for your software version), for you to read when
you get back (and are probably buried under many messages and not paying as
much attention to the contents as you should).

If that doesn't work, point the PHB at this:

http://news.bbc.co.uk/1/hi/technology/3290251.stm

Only 2 out of the top 10 viruses/worms for last year did *NOT* target Outlook.

Then ask the PHB if they have any legal criterion of "due care" that would put
them at risk of being negligent for continuing to run their business in a known
dangerous manner.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040102/ed4c8182/attachment.sig>


More information about the NANOG mailing list