Home > IT, Security > Mailing List Information Leakage

Mailing List Information Leakage

September 1st, 2007 Leave a comment Go to comments

Have you ever posted to a mailing list? I'll admit I read a lot of mailing lists, but I seldom post to them... it's probably been quite some time since my last mailing list post, until today anyways. I posted to Bugtraq and was quite surprised at the number of return emails I received. While the total was quite small compared to the total Bugtraq subscribers, I received 29 responses that divulged information of various sorts.

Included in the responses were:

  • Scheduled Vacation Dates
  • Names / Email Addresses / Phone Numbers of other Company Employees
  • Internal Server Names / Addresses
  • Verification that the individual is no longer employed by the company
  • OU Related Information (CN and O)
  • Company "Registration Numbers"
  • IT Helpdesk email addresses
  • Alternate Contact Information
  • Type of Spam Filtering Software Used

Now, some of this stuff I could see possibly existing in valid 'Out Of Office' emails, but some of it I was surprised to see. You'd think that policy would dictate that mailing lists don't receive OOO responses or that some of the information just not be made available.

Categories: IT, Security Tags:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. Will
    September 3rd, 2007 at 00:57 | #1
    Reply | Quote

    The company I work for (>50k employees) has rules in the Exchange servers to disallow any automatic replies to addresses outside the corporate mail network. This is for both Out of Office replies and rule-based responses.

    It’s very effective at stopping those sorts of leaks of confidential/non-public information. It’s quite annoying sometimes though when a vendor is emailing you asking for information/input. you’re away on holidays, and they think you’re being rude. There’s no end-user accessible ‘white list’.

  2. Will
    January 19th, 2009 at 14:20 | #2
    Reply | Quote

    The company I work for (>50k employees) has rules in the Exchange servers to disallow any automatic replies to addresses outside the corporate mail network. This is for both Out of Office replies and rule-based responses.

    It's very effective at stopping those sorts of leaks of confidential/non-public information. It's quite annoying sometimes though when a vendor is emailing you asking for information/input. you're away on holidays, and they think you're being rude. There's no end-user accessible 'white list'.

  1. No trackbacks yet.