Tuesday, December 26, 2000

Intelligence Risks of E-mail Auto-Responses

 (As published in Risks Digest Volume 21, Issue 16)

For some time, I have been associated with organizations that maintained e-mail lists for communication with customers. Each customer mailing generates some quantity of e-mail responses to the mailing address or a specified reply-to address. Heuristic filters handle the most frequent types of responses, generating automatic replies or redirecting mail to appropriate addresses. There are, though, always some messages which the filters can't adequately handle, so my involvement tends to involve eyeballing them.

The workload is by no means immense - for every 6,000 outbound messages sent, I manually handle one response. Some are questions the filters didn't catch, which I pipe to various scripts. Some are bounce messages. Some are chain letters - I grep those for From: headers and bounce them to the appropriate administrators; nothing to spread holiday cheer like a corporate policy smackdown. A good many are auto-responses.


Within the set of auto-responses, a significant minority pose non-technical risks. Users who are going to be "away from mail" or "out of the office" for even a single day frequently leave instructions on who should be contacted in their absence, and their responses often include other information that could be considered sensitive.

Their expectation is, of course, that they will receive mail from co-workers and colleagues who already know where they work, what they do, and have some need for the information. However, if they are subscribed to mailing lists, it is quite possible that the information they provide will be seen by completely unrelated users at other organizations.
"I will be away from [government laboratory] from [departure date] and will return on [return date]. If you need to reach someone from the IT Security staff, Please contact [coworker] at [number] or e-mail to [address]."
Congratulations. You've just told me what department you work in and where you work (the combination of which might be the sort of thing you don't just go blabbing around), and given me a co-worker's name and direct contact information. The potential for a social engineering hack is giddying.

This is, of course, a somewhat extreme example. But for each one like this, there are hundreds of others from people in business, academia and government. People who're perfectly willing to send total strangers information about their personal schedules - who they are, what they do, where they do it, when they're leaving, when they're coming back, where they're going, how they can be reached while they're gone, or who to contact instead.

Perfectly normal information to give to a co-worker, colleague or neighbor. Somewhat risky information to give to strangers, in an era of competitive intelligence, corporate and other espionage, etc.

Workarounds? You could hack your MTA/MUA/MDA to only send responses to certain domains, or omit all personal information from your auto-response. A more balanced approach would involve not re-stating information authorized users already know, and delivering necessary information in a minimal form. Ergo, instead of:
"I will be away from GovLab from December 22 and will return on December 26. If you need to reach someone from the IT Security staff, Please contact John Smith at 809-555-1212 or e-mail to jsmith@govlab.gov."
send something like this:
"I am currently away from work. If you need to reach someone, please contact John at 555-1212."
The logic, of course, is that an authorized person already knows where you work, what you do, your e-mail domain, and your area code. Nobody needs to know how long you'll be gone, if there's someone else who can help them.(As published in Risks Digest Volume 21, Issue 16)


For some time, I have been associated with organizations that maintained e-mail lists for communication with customers. Each customer mailing generates some quantity of e-mail responses to the mailing address or a specified reply-to address. Heuristic filters handle the most frequent types of responses, generating automatic replies or redirecting mail to appropriate addresses. There are, though, always some messages which the filters can't adequately handle, so my involvement tends to involve eyeballing them.

The workload is by no means immense - for every 6,000 outbound messages sent, I manually handle one response. Some are questions the filters didn't catch, which I pipe to various scripts. Some are bounce messages. Some are chain letters - I grep those for From: headers and bounce them to the appropriate administrators; nothing to spread holiday cheer like a corporate policy smackdown. A good many are auto-responses.


Within the set of auto-responses, a significant minority pose non-technical risks. Users who are going to be "away from mail" or "out of the office" for even a single day frequently leave instructions on who should be contacted in their absence, and their responses often include other information that could be considered sensitive.

Their expectation is, of course, that they will receive mail from co-workers and colleagues who already know where they work, what they do, and have some need for the information. However, if they are subscribed to mailing lists, it is quite possible that the information they provide will be seen by completely unrelated users at other organizations.
"I will be away from [government laboratory] from [departure date] and will return on [return date]. If you need to reach someone from the IT Security staff, Please contact [coworker] at [number] or e-mail to [address]."
Congratulations. You've just told me what department you work in and where you work (the combination of which might be the sort of thing you don't just go blabbing around), and given me a co-worker's name and direct contact information. The potential for a social engineering hack is giddying.

This is, of course, a somewhat extreme example. But for each one like this, there are hundreds of others from people in business, academia and government. People who're perfectly willing to send total strangers information about their personal schedules - who they are, what they do, where they do it, when they're leaving, when they're coming back, where they're going, how they can be reached while they're gone, or who to contact instead.

Perfectly normal information to give to a co-worker, colleague or neighbor. Somewhat risky information to give to strangers, in an era of competitive intelligence, corporate and other espionage, etc.

Workarounds? You could hack your MTA/MUA/MDA to only send responses to certain domains, or omit all personal information from your auto-response. A more balanced approach would involve not re-stating information authorized users already know, and delivering necessary information in a minimal form. Ergo, instead of:
"I will be away from GovLab from December 22 and will return on December 26. If you need to reach someone from the IT Security staff, Please contact John Smith at 809-555-1212 or e-mail to jsmith@govlab.gov."
send something like this:
"I am currently away from work. If you need to reach someone, please contact John at 555-1212."
The logic, of course, is that an authorized person already knows where you work, what you do, your e-mail domain, and your area code. Nobody needs to know how long you'll be gone, if there's someone else who can help them.

No comments:

Post a Comment

Thanks,

Why I'm leaving Twitter.

I've stuck it out and continued participating on Twitter while Elon Musk has run it into the ground, made it progressively more inhospit...