Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Signature Blocks InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Signature Blocks

Published: 2007-05-29
Last Updated: 2007-05-29 19:07:18 UTC
by Joel Esler (Version: 1)
0 comment(s)
Just thought i'd share with you all a pet peeve of mine.  Signature Blocks in email.

How much is too much?  At what point do these things become a security hazard?  At what point are you putting too much information about yourself out on the internet?

Well wait, you ask, what does this have to do with security?  What if your email client has a vuln to some client side jpg/png/gif parsing thingy, and all I have to do is send you an email with an html signature block (or html at ALL), and execute some code?

Do you put certs in your signature block?  Should you? 

Do you put quotes in your signature block?  Should you?

Do you put your phone number in your signature block?  Email addresses?  Titles?

I've stuck to the rule of '4 lines is enough' in a signature block.  But what are your thoughts?

Does your company have a policy against signature blocks?  What about those Plaxo signature blocks?  What about LinkedIn signature blocks?

Share your thoughts.  I'll collect the consensus for the night and publish a diary with your thoughts.

--

Joel Esler
http://handlers.sans.org/jesler

P.S.  For those of you that are wondering, my email signature block is one line.
Keywords:
0 comment(s)
Diary Archives