Exchange security policy

[Pete Halasovski]

Hi,

I wanted to sanity check a security setting we employ against realistic
threats. We use the MS Exchange default setting of not sending Out of Office
messages to internet based email messages. This inconveniences some of our
users and I wanted to canvas opinion on whether or not this is a necessary
precaution. Has anyone had an attack or any other problems as a result of
allowing OoO to the world? Has anyone noticed if this is a rising or falling
threat?

Thansk in advance,

Pete

 

[Ed Crowley [MVP]]

There isn't much of a technical threat to allowing out-of-office to the
Internet since it is sent just once to each correspondent and therefore
isn't likely to cause looping. It can alert a spammer to a valid address,
but if you have a good antispam filter working for you, that threat is
minimized. And then there are the social engineering issues which you can
mitigate by explaining proper use to your users.

Of course, Exchange 2007 allows each user to choose whether to send their
out-of-office message externally, a feature I like because I don't send my
out-of-office to external correspondents.

 

[Nir Valtman]

Hi pete'

I'm working as information security consultant and I've never heard about
exploiting this configuration.
Even if junk mail sent to the user, most of the times is does not come back
again as a result of sending an "out of office" message,
I think that the probability to exploit this feature is low,

 

[Ed Crowley [MVP]]

Care to share the evidence behind this assertion?

 

[Nir Valtman]

The meaning of what i wrote is that if your mailbox get a spam then it sends
back an OoO message, then no one will send you the same message immediately
again (takes time to update), so it won't be endless loop which may cause a
DoS.

In addition, if you have a mail relay with antispam filter, i don't think
that the probability to exploit this feature is high.

--

Nir Valtman
http://blogs.microsoft.co.il/blogs/valtmanir/
---------------------------
Do you think that information security is expansive? Try to ignore it

Care to share the evidence behind this assertion?

 

[Ed Crowley [MVP]]

Comments inline below.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

The meaning of what i wrote is that if your mailbox get a spam then it
sends
back an OoO message, then no one will send you the same message
immediately
again (takes time to update), so it won't be endless loop which may cause
a
DoS.

That "meaning" is far from clear from your post. I would hope that you do a
better job of communicating in your "consulting" with your customers.

The issue of a message loop is not really a DoS, which is really a
deliberate attack, but a risk of using up all your disk space when a large
message loops. I agree with you, however, that the risk is negligible of an
out-of-office message causing a mail loop, and any impact can be mitigated
by implementing Prohibit Send and Receive limits, if large ones, on all
mailboxes.

In addition, if you have a mail relay with antispam filter, i don't think
that the probability to exploit this feature is high.

That's a big "if", and it assumes an extremely high level of protection. I
don't agree with your dismissiveness here.

The part you left out is the social engineering case. I believe that it's a
fact that plenty of users will provide more information about themselves or
their organizations to complete strangers through such messages than you
might believe. I'm not opposed to organizations opening out-of-office
messages to the Internet, but I do believe that they ought to make an
informed and intelligent decision and educate users as appropriate.

 

[Nir Valtman]

1. Don't worry about my job
2. Although i'm talking about big if, but most of the organizations (where i
live) have a mail relay. I believe that wer'e talking about a standard.
3. I agree with your last paragraph. Social Engineering is the most
dangerous threat.
--

Nir Valtman
http://blogs.microsoft.co.il/blogs/valtmanir/
---------------------------
Do you think that information security is expansive? Try to ignore it

Comments inline below.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
..

The meaning of what i wrote is that if your mailbox get a spam then it
sends
back an OoO message, then no one will send you the same message
immediately
again (takes time to update), so it won't be endless loop which may cause
a
DoS.

That "meaning" is far from clear from your post. I would hope that you do a
better job of communicating in your "consulting" with your customers.

The issue of a message loop is not really a DoS, which is really a
deliberate attack, but a risk of using up all your disk space when a large
message loops. I agree with you, however, that the risk is negligible of an
out-of-office message causing a mail loop, and any impact can be mitigated
by implementing Prohibit Send and Receive limits, if large ones, on all
mailboxes.

In addition, if you have a mail relay with antispam filter, i don't think
that the probability to exploit this feature is high.

That's a big "if", and it assumes an extremely high level of protection. I
don't agree with your dismissiveness here.

The part you left out is the social engineering case. I believe that it's a
fact that plenty of users will provide more information about themselves or
their organizations to complete strangers through such messages than you
might believe. I'm not opposed to organizations opening out-of-office
messages to the Internet, but I do believe that they ought to make an
informed and intelligent decision and educate users as appropriate.