Is it just me or does this seem to be a really BAD security problem?
I've added postmasters at da001-srvmal01.arcommunications.net,
arcommunications.net, and arcmail.com just in case...
[EMAIL PROTECTED] enscribed thusly:
> ----- The following is an automated response to your message
> ----- generated on behalf of [EMAIL PROTECTED]
>
> Thanks for the mail. I'm on vacation until Monday, August 16, 1999.
> --Chris
Well thanks for letting a major security list (probably inhabited
by more than a few with less than your best interest in mind) know that you
are going to be away from your account for over a week.
Let's see now. We know what your account name is likely to be.
We know the system you expect mail to come into. We know the system
the mail appears to have originated on (and the Received-By headers gives
us a clue as to what kind of system as well as it's name and IP address).
Plus we know the next major mail server, which is likely to be your
outgoing mail hub. With a little digging, a real enterprising individual
might track down a real address to go with that name.
If you are lame enough to hit a mailing list and announce that your
account will be unmonitored and vulnerable for the next week, you are
probably lame enough to use some poor password, so it may even be possible
to brute force your account on one or more of those system.
Tell you what... Next time you are on vacation, be sure to put the
fact on your answering system "my house will be vacant for the next week"
and maybe take out an add in a few newsletters somewhere to insure really
good coverage for the fact that you accounts and premises are wide open
and unwatched...
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
