Holy cow, I wrote a book!
Some time ago, I recommended
exercising caution when choosing the name for your product group.
The same caution applies to the name of your mailing list.
Thanks to the large number of spammers out there,
creating a mailling list whose account name is a word from the
dictionary is just asking for trouble.
When you create a new mailing list at Microsoft,
the mailing list, by default, accepts mail from outside the company.
Most people don't realize this; as a result, when a message comes
in to a mailing list from outside Microsoft, people on the mailing
list may reply to it, unaware that the person on the "From" line
was not a Microsoft employee.
I'm sure you can pull all sorts of fun social engineering attacks this way.
Of course, the real question is why the default is to accept mail
from outside Microsoft in the first place.
Shouldn't the principle of "secure by default" apply here?
Mailing lists should by default reject mail that arrives from the outside.
Alas, it's even worse than that.
The mechanism for changing a mailing list to "Microsoft-only" is
(It used to be "virtually impossible" but now it's just "hard to find".)
Unfortunately, the people who run the system for maintaining Microsoft's
myriad mailing lists have said that it's too much work to change the
default, so we're going to be stuck with the insecure default for the
But at least I can send out a "heads-up" to people who create
new mailing lists.
I've heard a rumor that the default is now to reject mail
from outside the company.