The dangers of 'dummy' email accounts

To allow employees to read e-mail received at generic addresses, like resumes@company.com or helpdesk@company.com, you would typically provide IDs and passwords for these 'dummy' accounts. The users could then switch IDs (or re-logon) to open the target mail files. While this may be the easiest approach for managing generic e-mail accounts, it isn't necessarily the best, as it creates several security holes in your system. In this tip, I'll discuss a few of these security concerns and explain why a mail-in database is a safer alternative.

One thing to consider is that it is difficult to take back IDs and passwords once you've given them away. Asking users to return files does no good, since they may keep copies without your knowledge. If you change an ID's password or public key (and enable server-side checking of these items) you can disable one person's copy of the ID. But then you have to update the other valid copies with the new information, or they won't work.

The same applies to Domino Web mail accounts. If you disable someone by changing the Web password, you have to tell the other people the new password. All of this is doable, but a bit of a pain.

Dummy accounts also offer malicious users a way to gain access to your entire system. Since you ideally want the total number of user accounts to be as small as possible, adding an account named Helpdesk, for example, just gives hackers another crack at guessing a password. The names of these accounts are usually obvious, too, making them inviting targets for break-ins.

Having user accounts with generic names also violates a standard "best practice" for security policies -- that is, users should log onto a computer system with unique names. If you look at a log file and see some suspicious activity by a user named Resumes, you have little idea who actually performed those actions.

A mail-in database solves all of these problems. There is no specific ID or password associated with the mail file. Therefore, there is no way to log on to Domino with the usernames Helpdesk, Resumes, etc. You grant or deny access to the mail-in database by adding/removing regular usernames from the database access control list (ACL).

If you want to prevent departing employees from accessing the Helpdesk mail file, you just take their names out of the ACL, and they'll be locked out. Adding someone is just as easy -- simply put their name into the mail file ACL. You don't have to hand out ID files, tell anyone an additional password, or keep certain users up-to-date with changes to the generic account.

Mail-in databases are simple to create and manage. For more information, see Domino Admin Help -> Index -> Mail-in Database (R5 and R6).

About the author: Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.

Please let others know how useful this tip is via the rating scale below. Do you have a useful tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Mailbox Management LotusScript agent moves tagged spam email to junk mail folder Limit the size of incoming email attachments to a Lotus Domino server Show unread marked Lotus Notes email messages using LotusScript LotusScript to extract and move attachments to a Lotus Notes mailbox or file folder Sending specific agent errors to a mailbox instead of debugging Setting corporate mail file size policies on NSF files No more delayed email Application for queueing non-delivery reports on hub mail server Need to restrict who can send Internet mail and from where Can Microsoft Outlook be used with Domino without installing Notes client? Lotus Notes Domino Database Management Add a program doc to compact Lotus Notes databases automatically Set a value in a field existing in another Lotus Notes database Fix 'Audit Trail' error when opening Notes docs 'Illegal circular use: Audit Trail' error when opening Lotus Notes docs Shrink Lotus Notes databases with many attachments Remove orphaned Lotus Notes documents on Domino databases with a 'virtual delete' Copy Lotus Notes databases from the Domino Server console command line Tutorial: How to import data into Lotus Notes -- without programming Easily show and hide layers in a Lotus Notes database Managing Lotus Notes doclinks with LotusScript RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.