No login credentials are asked when you click View link in the Quarantine Notification
Last Updated December 01, 2011
When you click the "View" or "Release" link in the Quarantine Notification you receive from a Symantec Messaging Gateway (SMG) appliance, you're not asked for any login credentials. Instead, you're directly opening the contents of your end-user quarantine. This creates a security concern for your SMG environment.
This behaviour does not expose your environment to security risks. Please consider the following points to understand the matters of security concerns on this feature:
A spam notification email is sent to an email address based on a resolvable address in user's local domain. This email address should be always associated with a LDAP account.
Control Center is deployed inside user's intranet in most cases. A user can forward a notification mail to his/her email box outside the intranet, but the attached URL will not be accessible from outside user's firewall.
This login will only authorize a single user to modify his/her own user preferences, there is no threat to other user or host and no other action can be performed from the Control Center User Interface from this login.
The notification email is only targeting for a particular user. It's supposed not to be forwarded or transfered to other non-authorized users.
Given the above reasons, Symantec however added (starting SBG version 7.6) the option to not include the mentioned links and allows the administrator for force end users to access the Spam Quarantine. The following KB article contains the steps required to implement those changes: http://www.symantec.com/docs/TECH132597
Imported Document ID: TECH86147
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe