Be careful what you name your mailing list

Raymond Chen

Some time ago, I recommended exercising caution when choosing the name for your product group. The same caution applies to the name of your mailing list. Thanks to the large number of spammers out there, creating a mailling list whose account name is a word from the dictionary is just asking for trouble.

When you create a new mailing list at Microsoft, the mailing list, by default, accepts mail from outside the company. Most people don’t realize this; as a result, when a message comes in to a mailing list from outside Microsoft, people on the mailing list may reply to it, unaware that the person on the “From” line was not a Microsoft employee. I’m sure you can pull all sorts of fun social engineering attacks this way.

Of course, the real question is why the default is to accept mail from outside Microsoft in the first place. Shouldn’t the principle of “secure by default” apply here? Mailing lists should by default reject mail that arrives from the outside.

Alas, it’s even worse than that. The mechanism for changing a mailing list to “Microsoft-only” is not obvious. (It used to be “virtually impossible” but now it’s just “hard to find”.) Unfortunately, the people who run the system for maintaining Microsoft’s myriad mailing lists have said that it’s too much work to change the default, so we’re going to be stuck with the insecure default for the indefinite future. But at least I can send out a “heads-up” to people who create new mailing lists.

Update: I’ve heard a rumor that the default is now to reject mail from outside the company.


Discussion is closed.

Feedback usabilla icon