Admin fishes dirty office chat from mistyped-email bin and then ...? Welcome again to On-Call, our weekly (and preponderantly prurient) piece in which readers share horror stories from their workplaces. This week, we're going interactive, because the situation in which reader “Flash” found himself describes an ethical dilemma The Reg feels un-qualified to address. Flash once had a gig “ …
It's even less interesting than finding porn. It's just a personal email from one employee to another using their employers email system. Does the business allow personal email? If yes then nothing to see. The contents in this case are irrelevant.
I sent an email to a friend today about Friday lunchtime pub time. No different.
> The obvious solution is to just bounce invalid recipients, like everybody else.
Yeah, and I've been bitched at and told to "fix that" by The Big Boss, regardless of how I implemented it or any other consequences. Despite being a tech company, they expected the computer to magically know where to send emails.
In this situation, I would have have blackmailed the two, if the guy had been one of the people complaining about email resolution. Revenge is a dish best served very cold.
If revenge is a dish best served very cold, and revenge is also sweet....is revenge ice cream?
(yes, I shamelessly nicked that from a philosoraptor meme)
Anyway, I've been asked to set up similar 'no bounce' systems, and I've simply told the client - in professional terms - that it's a staff competency problem, not an IT problem.
If they aren't capable of using the address book of their email clients, then they probably shouldn't be trusted to handle a spoon without adult supervision due to the risk of injury.
In this case? I'd have done the same. If the Big Boss wants me to compromise my professional ethics by intercepting staff email on the fly, they can go fuck themselves.
If revenge is a dish best served very cold, and revenge is also sweet....is revenge ice cream?
Only if you milk it for all it is worth, otherwise it is sorbet.
I ran into a similar situation at a previous job. I was asked to transfer archived emails archived on a machine for a coworker who had transferred out of state. The application and method I was given to do this displayed one of the emails in whichever folder was being processed. It happened to pull up one that made it very clear that my coworker was having an affair, that both parties were married, and that she would be working with her new love interest. All in two lines. I finished the transfer and said nothing about it to anyone at work.
As far as I am concerned, the whole thing was an onion ("None ya business" for those not familiar with the term) despite the way Big Brother and Big Business would want us to buy into.
<snip>
"In this case? I'd have done the same. If the Big Boss wants me to compromise my professional ethics by intercepting staff email on the fly, they can go fuck themselves."
I was once asked by a senior sales director of a large UK company if I could monitor an employees email. I said that I could but I would not do it under any circumstance but he could probably employ someone else who would. The director exited screaming and shouting at me, I just went back to work.
1 hour later he came back to me and apologised saying that he had a think about it and with me on watch his emails were as safe as anyone else s and he thanked me for standing up to him.
> This is a security issue, as it allows spammers to identify real email addresses in an organization. If it doesn't bounce, it's a real address.
That's such a 1990s strategy.
- So many email addresses at companies are publicly listed everywhere that this isn't a useful "secret" to protect (see "security through obscurity")
- Anti spam systems are smart enough nowadays to block dictionary attacks - have been for a looong time
- Anti spam systems are pretty good at actually stopping the spam too even if you know the adresses
"This is a security issue, as it allows spammers to identify real email addresses in an organization. If it doesn't bounce, it's a real address."
This may have been the case 20 years ago, but not now. Spammers don't care what bounces. They don't care how many million duff email addresses they're using. There's much more work involved in removing the bad addresses from their spam list than in just leaving them in. Sending out the emails either cost minuscule amounts, or zero if you're hijacking someone else's email server. Bounces cost them nothing at all, because they're not coming back to them. So why should they care?
A company has a black-hole for bad addresses simply to avoid the hassle of handling them. It's a valid strategy, but may result in the lose of emails that could have an actual value to your company.
The obvious solution is to just bounce invalid recipients, like everybody else
This right here, is how email works. User gets bounce, user realises their mistake and everybody is happy.
In this completely made up story the admin thought outside the box without reading any RFCs (as admins are prone to do) thought he was being clever and in the end not only snooped on other people's private lives (I mean using corp email for this stuff is begging for trouble but it's still essentially private) and also broke the entire global email system in the process.
This stuff doesn't have to be difficult but people really so enjoy trying to make it so.
Also if your boss has a problem with your email system working correctly go find yourself a new job and do it now because your company is probably going to go down in lawsuit and you're probably going to end up named as at best a witness and it's going to cost you a lot of money in legal fees.
My viewpoint is that there's no reason for the admin to be reading those emails in the first place - just bounce them. I'm guessing he set this up as a way of snooping, rather than to be helpful.
Anyway, they aren't sharing trade secrets with the competition, the emails aren't illegal. He knows nothing of the details - this pair may have left their spouses which makes the email completely innocent, for example.
It's not for him to judge. I was once told by a colleague that he gets sucked off every time he goes to Amsterdam. I didn't feel the need to tell anybody, especially his wife. None of my business.
"My viewpoint is that there's no reason for the admin to be reading those emails in the first place - just bounce them. I'm guessing he set this up as a way of snooping, rather than to be helpful"
Actually I believe in the article he said that often customers emails would be mis-addressed and he was attempting to forward them to the appropriate recipient. Sounds like a reasonable thing to do for the business.
It just happened that some internal mails were also mis-addressed.
bounce is better. That way as an admin you don't get into a situation you aren't comfortable with. Lets face it, that's between them and their SO's unless it impacts the business, and then its up to their managers and HR to request logs. Whatever my personal feelings are on it, my business one pretty much ends up correcting it and letting it go since that is/was the policy. Of course, I'd then immediately change the policy next week to bounce typoed internal emails after that. I generally follow a don't ask, don't care policy regarding people's personal crap at work...
I've accidentally ended up in similar situations myself on occasion due to monitoring the internet firewall for things like blocked legit sites that needed unblocked and run into someone surfing NSFW's. I'd typically just take them aside, QUIETLY, let them know they could get in trouble if another admin or the security guys saw that, and then let it drop. I generally wouldn't see their userid again pop up again, except for one of the night security guys... yeah, you don't wanna know...
If the acts described in the email were illegal or likely to damage the company (industrial spying, for instance) forward it to the boss. If not, delete or forward, then forget about it. Such breast-beating over a trivial faux pas. Now, if one of the parties involved was the spouse of the original poster, I would understand the agita. Otherwise, you caught a co-worker doing something embarrassing, like dancing to music in their office or picking their nose.
Exactly.
Generally, many employers will have either:
- a policy on the use of work equipment/IT systems/communication during work time, or
- some catch-all clause in the employment contract.
Generally speaking, your response depends on the policies in question. However, internal IT processes and procedures need to be designed with these company policies in mind - if you don't want to be put in the position of reading misaddressed email, don't store or log the stuff!
Any email you send/receive from the company is the property of the company and therefore as an IT employee you're entitled to ensure the company's assets are being used in accordance company policy. Using company equipment for personal use is often allowed but within "reasonable use". In an ideal world you should report this email as abuse of company property and you should be able to remain anoymous as the problem should then be dealt with by the HR dept and the offender's manager as they see fit. It's not your job to pass moral judgements, just act within the bounds of company rules and policy.
Suppose the emails contained evidence of some crime that was later committed? In the financial world everyone, including IT staff, have to take mandatory, annual anti-money laundering training and certification. If you know about potential ML then you're bound by law to report it to the correct company officer else you risk a spell in clinky.
"Suppose the emails contained evidence of some crime that was later committed?"
I'll see your straw man and raise you. Suppose they contained confidential company information that would affect share prices? Difficult to avoid suspicion, even if innocent, if there were then suspicious share trades.
The fact is that intra company email can contain all manner of confidential information. It could be customer or employee personal data. It could be product plans. It could be results of clinical trials. All sorts of things above a support desk pay grade and operation of the email system shouldn't depend on such an employee opening it to route it correctly. It should bounce and give the sender a chance to re-route it correctly, sight unseen by anyone else.
2. Both deleting and forwarding the e-mail will be seen as a judgment call based on morality
No, a judgment call is deleting the email. forwarding is what he was tasked with doing, no judgment required. And, if he is going to police the morals of his co-workers instead of just forwarding the d@mn emails, let him disclose every pen he has taken home, even inadvertently, every time he looked at a personal email on company time, etc., etc.
I believe the correct response is to return the email to the sender, indicating that you had only read
enough to identify that this was not work related.
Then remind the sender that personal messages should be sent using personal email.
Nobody will believe that you didn't read the whole email, but the message that you don't
appreciate having personal stuff like this get misdirected to you will have been delivered.
In my country what he did would have been illegal (and once we had to identify and remove a mail admin who was monitoring the mail of a woman he got "too interested" in...)
Anyway, what people do in their free time is up to them. As long as what they do is not illegal, nor is a true risk for the company, is not a problem of mine - unless, for some reason, I'm very close to one of the involved people and I can understand the situation fully.
Did he sent it to the wrong address? It should have received the standard "cannot deliver" message. I received it by mistake? Delete it.
Sure, it can deeply change the opinion I have about them for ever...
A true BOFH would have filed the email under the names of the two people involved. Just in case, sometime in the future, one of them happened to be in a position to do him a "favour".
Given the sense of humour here and the fact that it's Friday I would have expected the "blackmail both" choice to top the poll. So yay for upstanding citizenship (pardon the contextual pun :) ), booh for not staying true to BOFH principles :).
(and yes, I would have deleted it too - we're still human).
It seems to me that the company in question should have made this policy known to all employees (the one where undeliverable emails end up in a mailbox visible to admins) with a very strong warning that all such emails are liable to being read by people other than their addressees. And if you use company email for that kind of thing, you're an idiot anyway.
Yes, and perhaps put a few hints in the warning that the two perpetrators would recognise, just to make sure they got the message.
Mind you, I'm not subtle so it would probably have gone something like:
"Please remember that the email system is provided by $COMPANY for company business only, not so you can arrange affairs on company time. Please also remember that IT have access to all your emails, especially the ones you don't address correctly and we'd really rather not have to read your home made porn anymore."
Its a hornets nest. Another problem is that you don't know if his e-mail would have been appreciated or could be filed as sexual harassment. One way or the other erotics has no place in the office, so this is definitely the best way to go: remove it, the guy will probably have gotten the hint and yeah...
Then again: maybe because the e-mail got deleted the guy felt rejected by the woman and so he left the company? ;)
Nothing to do with the admin, he shouldn't be reading the emails, should just forward them on.
Why even have a catch-all for misspelt emails? Let the user receive an undelivered mail message like every other mail server does.
Sounds like an excuse to read other peoples mail.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
