We discussed last week the risks that out-of-office notifications pose for organizations – namely, that they could serve as leaks that an attacker could use to conduct successful attacks.
However, the threats from automatic e-mail replies don’t stop with out-of-office notifications. Two other types of automatic replies also pose a threat: bounce messages, and read notifications. Let’s deal with them one at a time.
Bounce messages – more formally known as non-delivery reports (NDRs) – have long been known to be a spam problem. However, they too can become a source for information leakage: improperly configured mail servers can leak details such as their host name, IP address, and software configuration. A skilled attacker can use this information in various ways – whether it’s technical (i.e., attack the server) or non-technical (build an org chart).
However, the primary usage of bounce messages would be to provide real-time confirmation of e-mail addresses. While e-mail addresses found online will probably work, bounce messages can be a more effective and accurate way to confirm email addresses.
Read receipts are even more problematic. For an attacker, it tells them whether an attack “succeeded” or not: i.e., if a human read the email. (Implicitly, it also tells the attacker that the email address does exist.) This is some of the most valuable information an attacker can get – he can use this information to gauge what kind of email his victims will read. In combination with web bugs, the attacker can even determine what software the victim is running.
It’s completely optional for users to actually send a read receipt. However, it is possible to configure e-mail clients to automatically send read receipts without asking the user for confirmation. Read receipts in and of themselves leak valuable clues to a determined attacker; sending them automatically makes the risk that much greater. (Without read receipts being automatically sent, it becomes a much more manageable risk – so long as users are careful not to send them to correspondents they don’t recognize.)
Let’s look at the whole picture with a worst-case scenario, where all of these automated replies are set up insecurely and leak information. Bounce messages could be used together with Internet searches to determine if e-mail addresses are live or not. Out-of-office notifications allow information about the target’s organization, contact details, and other such usable information to be leaked. Read receipts show what attacks work, and how to conduct the attack in an effective manner. Taken together, all these automated replies could be used as part of a well-planned and -executed attack against targets, particularly those in extremely sensitive positions.