Re: Auto-responders

Michael H. Warfield Thu, 01 Mar 2001 06:56:11 -0800
On Thu, Mar 01, 2001 at 05:24:24PM +1100, Dave Horsfall wrote:
> On Wed, 28 Feb 2001, Noonan, Wesley wrote:

> > up as the cost of doing business. The days of text mail with no out of
> > office notification is definitely over. If auto responses is the biggest of
> > my worries... well, it's been a good day. :)

> Funny; I can do it quite easily with my text-based Unix mailer.  I don't
> have to annoy anyone who posted to a mailing list, or worse still, the
> *entire* list.  I mean, it's of no consequence to me if Jack Dickhead is
> out for lunch when I post to a mailing list, so why the heck should I be
> notified?  If anyone ought to receive the silly-ack, it's the list owner.

> Or is M$ particularly broken in that respect?

        The default configuration of SOME versions of the M$ vacation
program are extremely broken in that they violate EVERY best practices
rule vis-a-vis autoresponders.

        They respond to precidence bulk or list messages.

        They respond to delivery status notifications.

        They respond to autoresponse messages.

        They respond multiple times to the same address.

        Now...  Can anyone see the security implications in the above?

        Senario...  Post to a list twice.  Note any and all autoresponders
that respond BOTH times.  Fake a message into one from another.  Watch for
the smoke.

        I know of one person who actually did this to two people who
had been previously warned about missuse of autoresponders (this was
at a military site on an internal distribution list).  The two individuals
came back to mailboxes that were over-quota with over 8,000 messages
in each.  Of course, they immediately accused each other.  And they
were both right!  :-)  They both caused it.

        Some versions of Lookout and accessories do at least limit the
number of messages sent to a given address.  They fixed that, at least.

> -- Dave

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  [EMAIL PROTECTED]
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: Auto-responders

Reply via email to
