Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email Forward/Auto Response

From: "Chris Barber" <cmbarber () gmail com>
Date: Sat, 26 Jan 2008 16:58:44 -0700
First let me make sure we are on the same page.

You are wanting to know first how to get email for
Joe.Blow () company-x com to Joe.blow () company-y com, and then make sure
it gets there without being stored, forwarded, read or archived?

The first part is very easy.  On the SMTP Gateway you create and alias
for the joe.blow () company-x com address and make the deliver to address
joe.blow () company-y com.  First part achieved.

The second part is not so easy.  First off you have to know what
company-x's smtp gateway is doing.  If it is doing any form of virus
checking the storage part of your request is not possible as most
email virus scanning software uses the sotre and forward method to
scan the message.  If the alias is setup in such a manner that it is
handled before any virus scanning then you would not have any issue,
but the transaction would b logged and the message would be stored in
the SMTP logs of the SMTP gateway anyway.

The forwarded part is out by default as that is what you are doing.

Not having the message read, is do-able, but requires cooperation from
both comanies, and would require a VPN between both E-Mail servers.
This way the transmission would not be seen by anyone.  If you are
just concerned about other email users, not a problem, the message
would only reside in the logs of the gateway, and never make it into
the mail servers message store.

Again, the message would only be stored in the SMTP transaction logs
and nowhere else.

If there is a true business requirement, and as long as it is
documented and agreed to by both companies, I do not see any
compliance issues.  As for any security issues, there are no more
risks than exist with just having an e-mail server, but you may open
an attack vector that puts company-x in the middle of an attack
between an attacker and company-y.

Hope this helps,
Chris.



On 1/25/08, _ _ <markpalmer () austin rr com> wrote:

What is required to occur if company X (company-x.com) wants to activate an email auto-response for email sent to Joe 
Blow at joeblow () company-y com and insure that email sent to this address is not read, forwarded, stored or 
archived?

Also, would there be any security or compliance risks associated with doing this (if it is even technically possible)?




-- 
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        / \  |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Previous By Date Next
Previous By Thread Next

Current thread: