On Fri, 18 Aug 2006 10:13:49 EDT, Pete Weiss said:
> I think of OOO's as requests to "please hack me 'cause no one is watching my 
> account."

Oh, those things are *wonderful* for a pen test (or a black hat :)

Let's see what they usually give you:

1) The fact the user's machine isn't being watched, so a direct hit on it
would likely not be noticed for a few days.

2) Enough "Please call George Foo" info (complete with phone numbers) so the
attacker can start a social engineering attack.

3) Perusal of the X-Mailer: header will usually reveal the exact patchlevel
of the mail software, allowing you to send them a second, hand-crafted
exploit mail targeted to that release's vulnerabilities - and remember that
the guy isn't going to read it till the day he gets back in the office, when
he'll have 2,934 other pieces of mail, and likely will be less careful in
opening mail (A good start is "From: [log in to unmask]" and include
"Here's the updated report you didn't see while you were out - please read
and respond quickly, we have a deadline to meet...." :)