[Users] Zimbra login page is indexed in search engines by default, is this good or bad?

Malte S. Stretz mss at msquadrat.de
Thu Mar 21 22:57:12 CET 2019 

I tend to set it to TRUE on all systems I install. Most customers don't 
like it when their Webmailer appears in the search engines, especially 
if it isn't always patched to the latest version, it makes them 
uncomfortable. Good old security by obscurity. I can understand this 
somewhat; OTOH is it pretty trivial to find Zimbra installations anyway 
via eg. Shodan.


Setting this option will actually have the odd effect that Goodle will 
find it anyway if you happen to hit the right terms but just show no 
description (cf. 
https://support.google.com/webmasters/answer/7489871?hl=en). An 
alternate approach which hides the page better is

zmprov mcf zimbraMailKeepOutWebCrawlers FALSE
zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
zmmailboxdctl restart


Of course this won't help with people who search for Zimbra and find 
some other installation and type in their password there. On the 
contrary, this will make sure that they won't accidentally find the 
right one.


Since historically Zimbra is more an ISP product it probably makes sense 
to be able to search for it per default. Dunno, I doubt that anybody 
will change the defaults so discussing this is moot.


Cheers,

Malte


On 21/03/2019 22:42, Barry de Graaff wrote:
> That is nice... do you think it should be default?
>
> Kind regards,
>
> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community
>
> Signal: +31 617 220 227
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>
> ------------------------------------------------------------------------
> *From: *"Malte S. Stretz" <mss at msquadrat.de>
> *To: *users at lists.zetalliance.org
> *Sent: *Thursday, 21 March, 2019 21:54:54
> *Subject: *Re: [Users] Zimbra login page is indexed in search engines 
> by default, is this good or bad?
>
> zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
> zmmailboxdctl restart
>
>
> On 21/03/2019 21:07, Randy Leiker wrote:
>
>     Hi Barry,
>
>     I've seen our own customers do the same thing at times, by
>     Googling "Zimbra" and trying to login to whichever site they find
>     in the search results.
>
>     On Synacor's end, it would be trivial to start discouraging search
>     engine spiders by including a meta tag like this on the login page:
>
>     <meta name="robots"
>     content="noindex,nofollow,noarchive,nosnippet,noimageindex" />
>
>     Combined with adding a robots.txt file in the web site root
>     disallowing indexing of any content on the site, that would at
>     least start reducing the problem gradually as Zimbra admins
>     upgrade over time.  But, of course, it doesn't do anything to help
>     with the current situation.
>
>
>     Randy Leiker (randy at skywaynetworks.com )
>     Skyway Networks, LLC
>     1.800.538.5334 / 913.663.3900 Ext. 100
>     https://skywaynetworks.com <http://www.skywaynetworks.com>
>
>     ------------------------------------------------------------------------
>     *From: *"Info Zeta Alliance" <info at zetalliance.org>
>     *To: *users at lists.zetalliance.org
>     *Sent: *Thursday, March 21, 2019 2:42:02 PM
>     *Subject: *[Users] Zimbra login page is indexed in search engines
>     by default, is this good or bad?
>
>     Hello All,
>
>     Zimbra login page is indexed in search engines by default, is this
>     good or bad?
>
>     I see a lot of spammers taking advantage of this, trying to trick
>     people. By referencing
>     to the domain and found email addresses online.
>
>     Also, I see end users that just google Zimbra and try to log-on on
>     the first hit found,
>     yes I know...
>
>     But what is the use for indexing the login page really? Do you
>     think the default
>     behaviour (indexing) is good?
>
>     Please let me know!
>
>
>     Kind regards,
>
>     Barry de Graaff
>     Zeta Alliance
>     Co-founder & Developer
>     zetalliance.org | github.com/Zimbra-Community
>
>     Signal: +31 617 220 227
>     Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190321/17f9b0dd/attachment.html>

More information about the Users mailing list