Blackmail both parties?
BOFHs in practice...
Welcome again to On-Call, our weekly (and preponderantly prurient) piece in which readers share horror stories from their workplaces. This week, we're going interactive, because the situation in which reader “Flash” found himself describes an ethical dilemma The Reg feels un-qualified to address. Flash once had a gig “ …
The only rule is to deal with it and don't talk about it.
Rule number 2 clearly broken by this admin.
By dealing with this problem by hand the problem will also escalate as people will not update their address books as the "system" fixes it all the time. Bad move pal.
So why in the name of god are you not teaching your users to fish? Collecting mis-sent emails and forwarding them on is an exercise in futility. I have valuable time to be spent trawling the web for photos of cute kittens that would be *seriously* inconvenienced if I spent my time re-addressing email all day.
Delete it and ignore it, and just start bouncing email (especially for internal only!) emails back when they screw up the address. For externals, you can bounce or drop as you see fit.
As agreed, if this guy has enough time to trawl through spam then he has way too little to do...
I personally wouldn't have set myself up in his role and have all miss directed mail going into the big mailbox in the sky... even if management asked me to perform said task is explain the futility of it...
but this isn't what is being asked... and who knows what id have done at finding such a mail item - all depends on how the wind is blowing... but while we are thinking about morals, id probably find myself chatting to a certain female employee a little more often!!!
Is to catch the spear phishing emails aimed at your important staff.
Running a check for mail from/to an address very similar to the corporate email domain and originator/recipient of a staff member could catch a major phishing attempt.
Downside is that you would pick up all sorts of other crap as well then have to deal with it.
For mis-addressed emails, just read the headers then send a message to the originator saying you are holding the message (in one hand, with one of your bodily extensions in the other) and can they confirm the recipient. Or, better, can they re-submit. With more detail. No - bad idea. Still.......
This assumes that (as others have suggested) you haven't been forced to do what mail rooms used to, and correct obviously wrong addresses.
... by the apparent lack of BOFHness amongst you all.
I mean, you've practically all stated that you'd delete the email and pretend nothing happened rather than resort to blackmail or extortion?
Fer chrissakes, grow a backbone and charge up the cattle prod, the lot of you.
The email had been something the admin really shouldn't have read, for compliance or confidentiality reasons? He'd at least have broken company policies, if not the law. And he'd have known as much from the legal disclaimer text that every company insists on putting at the bottom of its email. He's lucky he kept quiet
1346 of you, and counting, chose this:
"Delete the mail and hide the secret forever"
It's Friday afternoon - let your imagination go wild.
Where's the option to "Blackmail both parties for money and sex, then frame each for the other's murder and watch from the public gallery as they get sent down" ? Now that's an option.
Where's the option to "Blackmail both parties for money and sex, then frame each for the other's murder and watch from the public gallery as they get sent down" ? Now that's an option.
If they've murdered each other, how can they be sent down ? It's like asking where you bury survivors.
I've been in some situations involving sensitive information. I would not have read the email. I would have forwarded it as routine business.
What's in the email is none of my business. However there was one situation where I did say something, it involved classified information being collected by a person that had no need to know, I stumbled upon it while doing maintenance and certainly reported it. I don't know what became of the "suspect" I never saw him again.
When I first started working for "A Very Big Company" - this is the days before the internet - the "perk" was a company car, which everyone in the service department had, but since it was a "company car" and we were just workers any of the bosses could requisition our cars if their car was in the shop.
The Sales Director took my mates car one day (his was in the shop and he and his secretary had to go to a meeting in London) - he returned it the next day, but there were two small holes in the ceiling liner, aligned with the imprint of a pair of shoes, one on either side of the ceiling above the rear doors.
We all had a good giggle about it but there was no other evidence and if we'd said anything, we would have got the blame. And, whatever the evidence might suggest, there was no way to actually KNOW what happened - as in this article, you can guess what may have happened but you can't know, and I think most of us here realize how easy it would be to spoof a similar email complete with matching headers and log entries.
Two questions here: whether to run a typo/fwd service at all, and who sets standards for acceptable use of email and monitors them. The mistake was to connect the two.
If you are in the business of #1, my opinion is that this is all you do. You don't set the standard, you don't monitor content, etc. Apart from anything else, you reduce your personal legal and moral responsibility.
If you are in the business of #2, then org policies need to be in place to tell users that emails are monitored, not private etc. And ideally you want most of the work filtering to be done by machine, otherwise you end up with some petty BOFH who knows everyone's secrets.
Returning to the first case, supposing you saw an email that read, "I am going to <anglosaxon> you so hard you won't be able to walk." Is that a threat of assault? Or a mash note? If you treat it like the second but it turns out to be the first, you could be blamed for knowing a crime was about to take place and not doing anything about it. Steer well clear.
It's the equivalent of assisting a user to move folders on a server or helping them clean out their desk. Don't look in the folders or the bottom drawer of the desk. Never.
Now if the legal department, security, HR, etc. produce a signed document telling you to look, that's a different story.
My response is not listed as an option. I would have left the message where it was and told the sender that while I am not the morality police, I am the network (or at least e-mail) police and he should not be using the corporate mail for these kinds of messages. These kinds of messages can come back to haunt you in the form of a harassment suit.
I'd just correct the address and forward the mail. But I'd also put out periodic broadcast 'administrative' emails that would remind people that a) mail content is not private b) all mail traffic is archived (it has to be for legal reasons) and c) everything you send on a corporate email server belongs to the company.
Its a roundabout way of telling people that 'lewd, lascivious and illegal content should be kept off corporate email systems because there's a high chance it will bounce back and bite the people communicating". This isn't being the morality police, its just reminding people for their own sake.
I discretely told the recipient that kind of mail was not acceptable, and that I was not going to say anything to anybody this time and to make sure it doesn't happen again because I was not going to lose my job over it.
I could do nothing about the sender as they did not work for the company. However, the problem was resolved.
Flash must work for a small business, so catching all the mis-addressed email from existing or potential customers may well be vital for the financial future of the company.
I make the assumption it's a small business because corporates usually have an A4 equivalent (at least) of legal disclaimer as a sig on all company emails loudly claiming, amongst other things, that "this email is only to be read by the intended recipient blah blah blah" in which case if the "intended recipient" can't be identified with 100% certainty from the To: address alone, then it should be bounced or blackholed as per the "legal disclaimer" included.
You missed the option to forward it to someone else on the company email list, preferably someone with a similar enough name. I occasionally get email for the person whose name appears below mine in the company directory although never in the category described in the article.
Then I'd remove the email catch-all and let the stuff bounce back to sender to teach them to type it properly. It's a minefield to be party to the email of others without an official policy and you're better to just not go there. Hell, paved, intentions, good and all that.
One place I worked at had exactly two people in their address list with my surname. I appeared as Andy and the other chap appeared as Andrew.
Senders assumed that because the mail system had not complained about what they had typed, then it must have been right. They ignored the filling-in bit, which showed UK in my address, and AU in his.
So he ended up forwarding things about IT, and I forwarded things about his line of work. We added comments telling each other a little about ourselves, and promising that if either was passing the other, then beer would be involved.
So one day I turned up in the office in Brisbane, and announced to the receptionist "Andy A to see Andy A".
After a tour of the office, beer WAS involved.
My view would be that "Flash" is obviously green. I did email work in the accounting end of the entertainment industry( not adult entertainment, but entertainment by and for adults). The mix of a lot of money, perceived "power" and a whole lot of very attractive people in the office (excepting my IT crew) meant there was a lot of pelvis bumping happening both intra-office and with just about any other human with a heartbeat. As a result, and we seemed to get sued regularly, and fairly often. Other things like malfeasance and other bean counter foibles meant we did quite a bit of suing in our own right as well.
As a result, about every month I would get called into the Big Boss's office, our counsel would be in there, and the ominous words "Shut the door behind you" would begin the conversation....followed up with "We need every e-mail to, from or about so and so..."
Counsel specifically did NOT want me scanning for content...because, if we had to litigate, she much preferred for my testimony to be limited to how the evidence was obtained. We would hand off the data, unfiltered and completely to her e-Discovery team and THEY would do the snooping.
This was very workable all the way around. Initially in one of the the Big Boss did want to use the IT org to do the e-Discovery to save the money. Counsel shot that down that if we ended in court the other side would wrap me around the axle on methodologies I had used in the e-Discovery process. I then piled on with my ethical objections that counsel agreed with.
The conversation ended with big boss getting a mini lecture from counsel that my position of "Don't read things not intended for you" was proper and defensible, and that since I did not have the legal training to discern the difference between "Malfeasance" and "Just being a dick" I should stick to that policy,
Being single myself, I think I would have made a note of the people involved in my little black book for future possible dalliance (assuming that would align with your moral/ethical compass).
A bit of inside knowledge never went astray.
(Mines the one with the little black book in the pocket.)
I had two similar things happen, I used to release the quarantined emails on our IronPort's.
One morning an email was stuck for our State Sales Manager, we used to check why the message was quarantined as usually it was just the profanity filter, boy did I get a surprise when the embedded image of his wife came up, for a woman in her late 40's she was seriously hot.
I spoke to him quietly about it and mentioned it was best not to send personal emails using his work email, I could do this because I had a very good rapport with HR, CEO, CIO and CFO and they knew I don't muck around.
The next one was a few months later when one of the junior sales ladies sent an email to the same Manager detailing what they did the night before.
That one got deleted, however I sent a company wide email to all staff advising them as per policy, that whilst we did allow some personal use, we had been receiving emails lately that were not acceptable and as we do check quarantined emails to find out why they get stuck and as people tend to blurt everything out in the first lines of the email, that we really didn't need to know some of the things that we had found lately.
Suffice to say, I had no problems after that.
If you set yourself up as the kind of admin who redirects mail, you have to redirect it. There's nothing illegal going on, and flagging it up as a violation of company policy on computer use is obviously messy and unnecessarily complicated. The right answer is obviously to stop nannying your users and let their emails vanish into the void. Teach them how to look up email addresses and check their sent items and then just leave it the hell alone.
The implied moral quandary over being complicit in an affair between two adults is so absurdly puritanical, I can't help but wonder if the admin worked in some kind of hyper-zealous bible sales business.
Depending on company e-mail usage policy (which in any sensible organisation would specify that company resources are subject to possible scrutiny, and also dictate that communications should be within certain bounds - including, but not limited to obscenity, illegality, etc.) as a mail admin, people should assume that the mail admins have legitimate access to all incoming and outgoing mail anyway. The option I would go for is noticeably absent from the poll - a quiet word in the sender's ear to knock it off and/or take it out of the company system, because otherwise sooner or later they're going to get burnt. Now, if company policy DOESN'T expressly allow for scrutiny, then your boy has a problem, because no matter the intent, intercepting e-mail is a no-no, and without permission he shouldn't be doing it.
What puzzles me is how internal mail users could get the address wrong in the first place. Don't they use some kind of address book or company directory?
Couldn't it be argued that *all* data (email or otherwise) on their servers belongs to the company? For example, if your job title is programmer or developer and you write an app for the BBC (for example) the Beeb has the copyright to it and not you. I'm told what I can and can't do in my contract.
I think this is different for external and (genuine) internal e-mail. (I've had spam "from" my own address, presumably used because assumed to be whitelisted.)
External e-mail is likely to benefit the business, even if it's just social. it should be delivered as the sender intended.
Having reflected on the unwanted harassment question, internal e-mail should return to sender, with a covering message that looks like an automated response, but with a hint of doubt. If they want to correct it and send it again, that's up to them. If they're ashamed to, that may be for the best.
I quite often get e-mail intended for a colleague with the same forename, but it is almost never as much fun as the case described.
A user once made a formal complaint about me, claiming that I was spying on his e-mail.
"Of course I'm not spying on you", I said. "You're just not that interesting !"
[Cue sound of an ego going "POP! Pfffffffttttt !"]
When I worked in an office job (before e-mail was invented) (yes, I am retired now) I had an episode like that. We were clearing out a store room and I came across an old briefcase, which rattled, and was locked. Our orders were to throw such things out but I thought I should first find out what was inside. The three-wheel lock on the cheap briefcase was easy enough to fiddle in my lunch break (didn't even have to brute-force it by the numbers). Found discussion papers from a long-past interstate conference, and the used airline ticket of the one who attended the conference, and half a packet of condoms. So I closed it and left it in the boss's office. In that case the moral issue was moot, because the traveler was my boss. Never heard another word about it.