|
|
|
|
|
|
by hxelk1
771 days ago
|
|
|
Couple of years ago, I noticed some weird Outlook headers on our internal company e-mails and decided to take a look. It turned out our company Outlook (or Exchange? who knows) mail server was configured to relay mail through some 3rd-party SPAM filter and the SPAM filter trusted some headers which weren't stripped on ingress. So you could send an e-mail with the headers set and they would reach the SPAM filter unmodified. As the company had a 3rd-party SPAM filter, all Outlook security was disabled. This allowed me to send e-mail with forged sender. Outlook in its amazing brilliance would attach the "sender's" company photo and show some kind of a "Trusted" badge or something. I reported the issue and the admins weren't impressed. They insisted that this wasn't a major problem since the only way to make the e-mail appear to come from somebody in the company was to use you company account (outside e-mail would be filtered correctly). After some back and forth, I just told the admin to check his mailbox. It said something like, "if you don't think this is serious, you're fired" and it was "from" the CEO, with his smiling photo next to the name. That finally did the trick. EDIT: typos. |
|
|