Home > IT, Security > Mailing List Information Leakage

Mailing List Information Leakage

September 1st, 2007 Leave a comment Go to comments

Have you ever posted to a mailing list? I'll admit I read a lot of mailing lists, but I seldom post to them... it's probably been quite some time since my last mailing list post, until today anyways. I posted to Bugtraq and was quite surprised at the number of return emails I received. While the total was quite small compared to the total Bugtraq subscribers, I received 29 responses that divulged information of various sorts.

Included in the responses were:

  • Scheduled Vacation Dates
  • Names / Email Addresses / Phone Numbers of other Company Employees
  • Internal Server Names / Addresses
  • Verification that the individual is no longer employed by the company
  • OU Related Information (CN and O)
  • Company "Registration Numbers"
  • IT Helpdesk email addresses
  • Alternate Contact Information
  • Type of Spam Filtering Software Used

Now, some of this stuff I could see possibly existing in valid 'Out Of Office' emails, but some of it I was surprised to see. You'd think that policy would dictate that mailing lists don't receive OOO responses or that some of the information just not be made available.

Categories: IT, Security Tags:
  1. Will
    September 3rd, 2007 at 00:57 | #1
    Reply | Quote

    The company I work for (>50k employees) has rules in the Exchange servers to disallow any automatic replies to addresses outside the corporate mail network. This is for both Out of Office replies and rule-based responses.

    It’s very effective at stopping those sorts of leaks of confidential/non-public information. It’s quite annoying sometimes though when a vendor is emailing you asking for information/input. you’re away on holidays, and they think you’re being rude. There’s no end-user accessible ‘white list’.

  2. Will
    January 19th, 2009 at 14:20 | #2
    Reply | Quote

    The company I work for (>50k employees) has rules in the Exchange servers to disallow any automatic replies to addresses outside the corporate mail network. This is for both Out of Office replies and rule-based responses.

    It's very effective at stopping those sorts of leaks of confidential/non-public information. It's quite annoying sometimes though when a vendor is emailing you asking for information/input. you're away on holidays, and they think you're being rude. There's no end-user accessible 'white list'.

  1. No trackbacks yet.