Stop HR from recruiting anyone with a blocked surname. Eg. John Pol, Mark Vbs, Michael Com, etc...
-----Original Message----- From: Martin Tuip [mailto:[EMAIL PROTECTED]] Sent: 01 October 2002 8:52 PM To: Exchange Discussions Subject: Re: Another reason to be careful with OWA and URLSCAN I've seen URLScan fail when a user who's last name was POL to allow this user to open up his mailbox. POL is an extension that is normally blocked. -------------------------- Martin Tuip MVP Exchange Exchange2000 List owner www.exchange-mail.org www.sharepointserver.com [EMAIL PROTECTED] -------------------------- ----- Original Message ----- From: "Tom.Gray" <[EMAIL PROTECTED]> To: "Exchange Discussions" <[EMAIL PROTECTED]> Sent: Tuesday, October 01, 2002 5:39 PM Subject: Another reason to be careful with OWA and URLSCAN URLSCAN is a great tool. It helps secure your web server. If you use the Outlook Web Access template when installing URLSCAN you should be "good to go", right? WRONG! URLSCAN wreaks havoc with OWA. First, remember that with OWA the SUBJECT line of a mail message is the FILE NAME. So if you are logged into OWA and want to read a message with subject: I want to hold your hand Your browser sends a URL like the following htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand.eml URLSCAN examines that URL to make sure it isn't evil. Looks good so far. If the subject is: I want to hold your hand. The url would be htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand..eml Since there are two dots (..) URLSCAN Rejects it. And if the subject is: I want to hold your hand & foot The URL would be htps:/servername/username/inbox/i%20want%20to%20hold%your%20hand%20%26%2 0foo t.eml Since there is an "&" (or hex 26) URLSCAN Rejects it. Now how common is a period at the end of a subject in email? How common is the perfectly RFC822 legal "&" in the subject of a message? There are truly good reasons to reject those chars/patterns as URL's, but they are allowed as file names. So do you a) lower the security of your webserver by disabling those features of URLSCAN? b) convince everyone to not end their subjects with a period or use the & symbol? hmmmmm, what were the OWA guys thinking (or smoking?) when they set up the URL's to be based on subject lines??????? Tom Gray, Network Engineer All Kinds of Minds & The Center for Development and Learning University of North Carolina at Chapel Hill Internet: [EMAIL PROTECTED] AT&T Net: (919)960-8888 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] Andrea Coppini +356 79 ANDREA (263732) [EMAIL PROTECTED] EMPOWER PEOPLE - THE WORLD IN YOUR HAND iWG (iWORLD GROUP) is a global e-mobile company creating, building and growing new businesses. iWG founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. The Global Partners include the shareholders Bank of America, Deutsche Bank, Hikari Tsushin, McCaw, PaineWebber/UBS, The Dolphins' Trust, Perikles Trust and the iAA Advisory Network. www.iWG.info www.countryprofiler.com/iWG Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
