I posted a reply to Bugtraq today (that somehow got disassociated from the original thread I was replying to). My message outlined bug fixes/enhancements to the Tcl code in the research report, "Creating Backdoors in Cisco IOS using Tcl," recently released by Information Risk Management Plc (a UK-based information security consultancy).
Today, in addition to deleting the occasional stray piece of spam that makes it through various levels of filtering, I've had to delete message after message from around the world outlining that so-and-so of Big Organization Inc. is out of the office (often for quite awhile). These emails are often quite helpful in providing other contact information that it seems like could be used for nefarious social engineering purposes. ("Hi Bob, this is Carol. I'd been working with Alice on ______; she told me to contact you if I had any problems while she's gone. Anyway, I forgot how to connect to the _______ system; can you give me those connection settings again so I can get through the corporate firewall?")
Anyway, how wise is it for people working in information security to advertise the fact that they are out of the office (and, at least personally, not minding the proverbial store) to random strangers (that they've never had any contact with previously)? Regardless, it seems like poor netiquette to ever reply to a mailing list with an out of office autoresponse. Maybe it's just an Exchange/Outlook social norm to do so...?
So far I've received messages in various languages: English and Portuguese (that I can read); French and Italian (where I can pick out some words), and Russian—which might as well be Greek to me.
—Michael A. Cleverly
Tuesday, November 27, 2007 at 21:00
http://blog.cleverly.com/comments/post.blog?id=300#cform