Quick Tip – Be careful with recipient SMTP addressing

It is possible that many of you will read this article and think “yeah I know all about this” – but, considering the havoc that it caused for one of my customers last week I thought that it might be worth doing a post on the subject – just in case!.

You might have to read this article a couple of times to ensure that it makes sense – as it can at first seem a fairly complex sequence of events that need to happen before the problem that is being described becomes apparent.

On Friday I was contacted by one of my senior customers whom has the overall responsibility for IT within his organisation. This organisation provides a key public service and given the work that it does has a certain amount of political and legal sensitivity.

For the purposes of this article I will call the company Strategic Domicile inc (note that names that have been chosen in this article are fictitious and do not relate to any company that might actually have these names).

The organisation’s management team consists of an elected board which in conjunction with the CEO runs the affairs of the company. However to complicate matters the operations of the said company are also overseen (to a certain extent) by a larger government based entity – therefore there is regular e-mail communication between senior figures within the Strategic Domicile inc and the parent which are of a highly confidential nature.

It is possible that many of you will read this article and think “yeah I know all about this” – but, considering the havoc that it caused for one of my customers last week I thought that it might be worth doing a post on the subject – just in case!.

You might have to read this article a couple of times to ensure that it makes sense – as it can at first seem a fairly complex sequence of events that need to happen before the problem that is being described becomes apparent.

On Friday I was contacted by one of my senior customers whom has the overall responsibility for IT within his organisation. This organisation provides a key public service and given the work that it does has a certain amount of political and legal sensitivity.

For the purposes of this article I will call the company Strategic Domicile inc (note that names that have been chosen in this article are fictitious and do not relate to any company that might actually have these names).

The organisation’s management team consists of an elected board which in conjunction with the CEO runs the affairs of the company. However to complicate matters the operations of the said company are also overseen (to a certain extent) by a larger government based entity – therefore there is regular e-mail communication between senior figures within the Strategic Domicile inc and the parent which are of a highly confidential nature.

Again for the purposes of this article the parent and overseer will be known as the Domicile Regulatory Board.

My customer contacted me to let me know that a Senior political figure within Strategic Domicile had e-mailed the CEO of Domicile Regulatory Board and had carbon copied another political figure from Strategic Domicile.

This in itself was not an issue – however the major problem was that when the e-mail appeared in the Inbox of the CEO of Strategic Domicile the CC of the message had changed to another person entirely – and to make matters worse the person that it had changed to was a member of the board of Strategic Domicile, a person whom, one presumes the CEO did not want on the distribution of the message.

The following diagram is deigned to depict what happened:

explanationofbadaddressing

The diagram above depicts the Sender ([email protected]) sending an e-mail to [email protected] but also CC’ing [email protected]. The e-mail arrives correctly with the CEO of Domicile Regulatory but, the CC’d recipient appears to have been incorrectly delivered to [email protected] when being viewed in the CEO’s Outlook client.

Essentially the question that my customer had was – if the message was sent from the Political Officer to the CEO and CC’d to another Political colleague – how could the intended CC recipient change once the mail had arrived.

He was obviously quite worried as this potentially presented major confidence issues within their mail system and caused a little bit of embarrassment as indeed it looked like that a person whom should not have received the e-mail did – was there skulduggery afoot?.

He had asked his own internal IT team to investigate the matter, and had not had a satisfactory answer which had pretty much boiled down to “we don’t know” – therefore I was asked if I could take a look.

At first I asked him the usual question – is it possible that the Board Member is a delegate of the Assistant Political account to which the answer was “no” – which upon reflection was a silly question as even if that was the case it would not change the addressee in the “CC” box within the message.

To cut a long story short, and after some careful investigation (via tracking logs etc) I discovered that the mailbox of “[email protected]” also and incorrectly had the SMTP address of “[email protected]“. Exchange (or more to the point Outlook) will resolve a Display Name on an account within the Global Address list to any SMTP address which is configured on the said account.

You can test the principle out with your own account within Exchange – all you have to do is add a spurious SMTP address to your account – for example “[email protected]<your smtp domain>” then from within Outlook type into the address bar “[email protected]<your smtp domain>” and click on the resolve recipient – which will then come back as your name.

The moral to this tale is that you should ensure that the people whom have responsibility for the creation and maintenance of e-mail accounts are properly trained and aware of what the impact of mistakes can be.

Sharing is caring!:

Leave a Reply

Your e-mail address will not be published. Required fields are marked *