Be careful what you name your mailing list


Some time ago, I recommended exercising caution when choosing the name for your product group. The same caution applies to the name of your mailing list. Thanks to the large number of spammers out there, creating a mailling list whose account name is a word from the dictionary is just asking for trouble.

When you create a new mailing list at Microsoft, the mailing list, by default, accepts mail from outside the company. Most people don't realize this; as a result, when a message comes in to a mailing list from outside Microsoft, people on the mailing list may reply to it, unaware that the person on the "From" line was not a Microsoft employee. I'm sure you can pull all sorts of fun social engineering attacks this way.

Of course, the real question is why the default is to accept mail from outside Microsoft in the first place. Shouldn't the principle of "secure by default" apply here? Mailing lists should by default reject mail that arrives from the outside.

Alas, it's even worse than that. The mechanism for changing a mailing list to "Microsoft-only" is not obvious. (It used to be "virtually impossible" but now it's just "hard to find".) Unfortunately, the people who run the system for maintaining Microsoft's myriad mailing lists have said that it's too much work to change the default, so we're going to be stuck with the insecure default for the indefinite future. But at least I can send out a "heads-up" to people who create new mailing lists.

Update: I've heard a rumor that the default is now to reject mail from outside the company.

Comments (17)
  1. Dog says:

    So, just out of interest, what mailing list software does Microsoft use? I take it these aren’t Exchange distribution lists?

    I guess it must be something home-grown? I also wouldn’t be surprised if it predates SMTP… (Or at least the use of SMTP outside of *nix).

  2. Dog: I’ve heard that Exchange is used internally since the NT 4 days, when they finally exorcised the last of their Xenix machines. Of course, that’s just scuttlebutt, and we’ll need to hear from Raymond if my source is correct, or not.

  3. Michael says:

    So, just out of interest, what mailing list software does Microsoft use? I take it these aren’t Exchange distribution lists?

    Yes, MS mailing lists are Exchange distro lists; we are 100% Exchange here.  However, we use a custom interface to manage mailing lists, not the standard one in Exchange.

  4. Mick says:

    Update: I’ve heard a rumor that the default is now to reject mail from outside the company.

    Or more likely, someone just stopped by your desk/office and said "You better not post that information about our mailing lists being available to the public, or we are going to get spammed like crazy."

  5. Jeanie says:

    The default has been internal-only for awhile now. When I set up an alias for feedback for customers, I have to go through that hard-to-find hunt to change the setting to allow external email.

  6. JenK says:

    My company’s DLs default to not accepting email from outside the company. I agree this is a good thing in general.

    But (of course,  there’s a but) I work at a Microsoft vendor. Many of our account managers use their Microsoft (v-) email account for all their Microsoft-related work…including sending us work from their Microsoft clients.

    You see where this is leading, yes?

    I’ve inquired about setting it up so that DLs can receive email only internally and from specified domains, such as microsoft.com. So far I’m told this is…drumroll…too much work.  

  7. Gabe says:

    I recently had a problem where certain emails to a client were getting dropped in the bit bucket. It turned out that sometimes the client sent email that CC:ed an internal-only email list. When you do a reply-all that internal email address ends up on the list, and since the reply originates from outside the client, the client’s email system ignores it.

    The least it could have done was bounce it or deliver only to the valid addresses.

  8. JD says:

    Nice way to force them into action, by publicizing it.

    (Whether they reacted to you or not doesn’t matter, the point is their policy was idiotic)

  9. David Walker says:

    Michael, I have to ask:  Under the principle of dogfooding, why in the world doesn’t Microsoft internally use the Exchange interface to manage the mailing lists?  

    If the standard interface to manage lists in Exchange isn’t good enough for MS, then it’s not good enough for customers.

  10. J A says:

    Distribution Lists have been internal only by default for more than a year at least (I think the switch happened as soon as the first instance of spam was observed).

    @David – MS uses a custom interface only because there are a number of business processes that are automated around the DLs and the web interface accommodates this. In addition, DLs are not limited to select few — anyone in the company can create a public DL.

  11. Will says:

    When I worked at a certain large Australian company (~45k staff), our Exchange network had a custom-built web interface allowing us ‘normal folk’ to create and transfer ownership of Distribution Lists and Generic Mail Accounts (sales@… etc)

  12. Still says:

    @J A

    Still, what’s the difference? Still not good enough for ordinary people? Still can’t be needed by anybody else?

  13. jeff.s says:

    Still –

    Microsoft is no different from any other company. They have custom business processes, and the custom interface they use surely supports these processes. Every company I’ve worked for has customized the environment to support the business – and Microsoft provides plenty of hooks for companies to do this.

    If you think the standard Exchange interface needs more functionality, make feature requests instead of insinuating Microsoft is doing something shady.

  14. Dean Harding says:

    "Still not good enough for ordinary people?"

    There is a difference between "not good enough" and "not appropriate". Just because a company the size of Microsoft needs a particular feature doesn’t mean everybody else needs it as well. I’d say most large Exchange deployments (> 10,000) have customized interfaces as well.

    I don’t understand the idea that just because Microsoft is a software company they should release every single piece of code they’ve ever written for internal use. I work for a 3-,developer company and even *we* have custom software that we’ve written to support our own internal processes. It doesn’t mean we should release all of that code.

  15. Maurits says:

    Still not good enough for ordinary people?

    I wouldn’t wish autogroup (that is the custom interface for managing distribution lists) on anyone.  Websites shouldn’t have right-click menus.

  16. Andrew says:

    Microsoft’s internal mailing list management system is painfully awful. The interface is pretty much a case study in bad website usability, and list names are limited to eight characters. I guess this kind of solves the problem of dictionary words since you have to abbreviate pretty much anything when you create the list name.

  17. Igor Levicki says:

    >and list names are limited to eight characters

    So one has to brute force only 8 characters? ;-)

Comments are closed.