|
|
|
|
|
1
9th September 00:49
External User
Posts: 1
|
Exchange security policy
Hi pete'
I'm working as information security consultant and I've never heard about exploiting this configuration. Even if junk mail sent to the user, most of the times is does not come back again as a result of sending an "out of office" message, I think that the probability to exploit this feature is low, -- Nir Valtman http://blogs.microsoft.co.il/blogs/valtmanir/ --------------------------- Do you think that information security is expansive? Try to ignore it |
|
|
|
|
2
9th September 00:49
External User
Posts: 1
|
Exchange security policy
Care to share the evidence behind this assertion?
-- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." .. |
|
|
|
3
9th September 00:49
External User
Posts: 1
|
Exchange security policy
again (takes time to update), so it won't be endless loop which may cause a
DoS. In addition, if you have a mail relay with antispam filter, i don't think that the probability to exploit this feature is high. -- Nir Valtman http://blogs.microsoft.co.il/blogs/valtmanir/ --------------------------- Do you think that information security is expansive? Try to ignore it "Ed Crowley [MVP]" wrote: |
|
|
|
4
9th September 00:49
External User
Posts: 1
|
Exchange security policy
Comments inline below.
-- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." .. That "meaning" is far from clear from your post. I would hope that you do a better job of communicating in your "consulting" with your customers. The issue of a message loop is not really a DoS, which is really a deliberate attack, but a risk of using up all your disk space when a large message loops. I agree with you, however, that the risk is negligible of an out-of-office message causing a mail loop, and any impact can be mitigated by implementing Prohibit Send and Receive limits, if large ones, on all mailboxes. That's a big "if", and it assumes an extremely high level of protection. I don't agree with your dismissiveness here. The part you left out is the social engineering case. I believe that it's a fact that plenty of users will provide more information about themselves or their organizations to complete strangers through such messages than you might believe. I'm not opposed to organizations opening out-of-office messages to the Internet, but I do believe that they ought to make an informed and intelligent decision and educate users as appropriate. |
|
|
|
5
9th September 00:49
External User
Posts: 1
|
Exchange security policy
1. Don't worry about my job :-)
2. Although i'm talking about big if, but most of the organizations (where i live) have a mail relay. I believe that wer'e talking about a standard. 3. I agree with your last paragraph. Social Engineering is the most dangerous threat. -- Nir Valtman http://blogs.microsoft.co.il/blogs/valtmanir/ --------------------------- Do you think that information security is expansive? Try to ignore it |
|
|
Linear Mode
