I read, with interest, a bunch of replies to Potlicker's question, but it
seems a couple of obvious things are being overlooked.
The scenario described is only useful if you are inside BigCo, have access
to the mail address of BigCo's help desk people, and have access to BigCo's
internal users mailing addresses, right?
If you're not inside BigCo;
- then you don't know the email addresses for BigCo's help desk people as,
surely, the help desk peoples internal mailing address is different from
their external mailing address (big duh if they aren't).
- let say you somehow figure out who BigCo's help desk people are, and they
use the same mail address inside and out, now what, you're setting up a
bogus web site waiting for one of them to visit and click on something that
invokes their browser's mail function??? Might be waiting a while, no?
- O.k, miracle of miracles, a known help desk person from BigCo has
actually clicked on your SendBadMail button, wow, after the shock of the
unlikelihood of this event, now you wonder, "hmm, now who are the internal
users in BigCo to send this mail to!". If you send it to a single person,
you will, almost positively, create suspicion since that lone person will
almost probably ask co-workers if they received similar mail (everyone is
paranoid that they are being singled out by help desk people, its a natural
reaction...;-]). If you're planning on sending it to some internal mailing
list, how'd you find out about the internal mailing list and how do you get
the mailing list to be expanded from an inbound SMTP mail from the
Now if you are inside BigCo;
- you probably know the help desk people mailing address for internal use
- you can probably get them to check a "flaky" web page you have set up
(really your bogus web page) to get them to invoke their mailer
- you probably know the internal mailing addresses to send your message to,
although you still have the problems of suspicion if you only send it to
So, as you can see, its much more difficult to do this hack outside of
BigCo than inside, so the obvious question then is whether or not all
internal mail is passing through whatever Firewall you have, hopefully it
isn't (just for performance reasons if nothing else).
In both cases you have some other problems to overcome though.
1. You can only do this once, and it has to be done by someone from your
help desk. If someone else happens along it before a help desk person,
everyone you are sending this mail to will receive the same message from
this other person, obviously raising alarms.
2. Whoever sends the mail may have also set their mailing to cc themselves
on any mail sent (a sensible configuration to help catch these types of
problems), so depending on how long it is before their check their inbox,
you may not have a very big window of opportunity (presumably they would
immediately send out a message saying the previous message was a fraud).
3. This assumes that the users have never been told of one of the first
tennants of email, which is, never give any account information to someone
who asks for it over email. If the help desk really wanted to ask you for
your password they would simply pick up the phone and call you...(security
policy 101). I do realize that this is not failsafe, but its something that
all users should have been told, and reminded of, at various times. Most
forums on CompuServe carry this warning when you join them, for example.
So unless I am missing something, I'd say the hack doesn't have a useful
place in a hacker's toolkit.
...eek, quick, someone give me some broken software, I'm suffering beta