nir valtman

Hi pete'

I'm working as information security consultant and I've never heard about
exploiting this configuration.
Even if junk mail sent to the user, most of the times is does not come back
again as a result of sending an "out of office" message,
I think that the probability to exploit this feature is low,
--

Nir Valtman
http://blogs.microsoft.co.il/blogs/valtmanir/
---------------------------
Do you think that information security is expansive? Try to ignore it

ed crowley [mvp]

Care to share the evidence behind this assertion?
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

nir valtman

again (takes time to update), so it won't be endless loop which may cause a
DoS.

In addition, if you have a mail relay with antispam filter, i don't think
that the probability to exploit this feature is high.

--

Nir Valtman
http://blogs.microsoft.co.il/blogs/valtmanir/
---------------------------
Do you think that information security is expansive? Try to ignore it


"Ed Crowley [MVP]" wrote:

ed crowley [mvp]

Comments inline below.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..


That "meaning" is far from clear from your post. I would hope that you do a
better job of communicating in your "consulting" with your customers.

The issue of a message loop is not really a DoS, which is really a
deliberate attack, but a risk of using up all your disk space when a large
message loops. I agree with you, however, that the risk is negligible of an
out-of-office message causing a mail loop, and any impact can be mitigated
by implementing Prohibit Send and Receive limits, if large ones, on all mailboxes.

That's a big "if", and it assumes an extremely high level of protection. I
don't agree with your dismissiveness here.

The part you left out is the social engineering case. I believe that it's a
fact that plenty of users will provide more information about themselves or
their organizations to complete strangers through such messages than you
might believe. I'm not opposed to organizations opening out-of-office
messages to the Internet, but I do believe that they ought to make an
informed and intelligent decision and educate users as appropriate.

nir valtman

1. Don't worry about my job :-)
2. Although i'm talking about big if, but most of the organizations (where i
live) have a mail relay. I believe that wer'e talking about a standard.
3. I agree with your last paragraph. Social Engineering is the most
dangerous threat.
--

Nir Valtman
http://blogs.microsoft.co.il/blogs/valtmanir/
---------------------------
Do you think that information security is expansive? Try to ignore it