Penetration Testing mailing list archives
Re: Risk of Redirecting Email.
From: Todd Haverkos <infosec () haverkos com>
Date: Fri, 03 Apr 2009 12:17:52 -0500
"M.D.Mufambisi" <mufambisi () gmail com> writes:
Hi people. I have seen on some clients of mine, that when an employee leaves the organisation, they request IT to redirect their emails to a particular email address....personal.
Hi MD, Sounds like a very bad idea.
What are the risks of this? I can only think of company information being directed to this individual....which could be bad if he/she has gone to work for a competitor. What other risks or security issues could this give rise to?
In addition to passive reception of company information through probably-not-updated group distribution lists within the company, I can think of a few other problems. First, there would be nothing keeping the former employee from sending out new mail forging their old From: address from the company.... and being able to get replies. Mailing list subscriptions with that id would be possible, password reset requests would get delivered (possibly on old company internet facing sites), maybe even resets for the company VPN or third party sites the company uses. Being able to masquerade as a still-valid employee has all sorts of social engineering implications as well as customer service implications. If a client emails the departed employee a question or request and doesn't get a bounce, you could have them waiting a while to try another method of communication, and they could easily end up underserved and good and upset before they got around to contacting an actual current employee of the company. Had they gotten a timely bounce, however, they'd know immediately their request wasn't read. On the other hand, bounce messages themselves leak internal information so some advise against using them, so it comes down to your risk tolerance and what you're worried about. All the same, I see zero upside to the company for providing such a forwarding service for someone they've either fired or who's left them. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Risk of Redirecting Email. M.D.Mufambisi (Apr 03)
- Re: Risk of Redirecting Email. Dotzero (Apr 03)
- Re: Risk of Redirecting Email. David Schekaiban (Apr 03)
- Re: Risk of Redirecting Email. Joshua Gimer (Apr 03)
- Re: Risk of Redirecting Email. dgonzalez (Apr 04)
- Re: Risk of Redirecting Email. Barry Archer (Apr 07)
- Re: Risk of Redirecting Email. dgonzalez (Apr 04)
- Re: Risk of Redirecting Email. Todd Haverkos (Apr 03)
- Re: Risk of Redirecting Email. JoePete (Apr 04)