Change Merlin Messaging admin mailbox from 0 1

[mikestl]

My company has merlin messaging 2.5 installed in a merlin magix 2.0 system. Does anyone know if there is there a way for us to change the administrator mailbox to something other than 0? If that is not possible, is there a way to restrict access so someone calling from an outside line so that they will not be granted access to check mailbox 0? The reason I am asking if because I have concerns as to the integrity of the admin password in merlin messaging. I would rather have offsite administration access blocked alltogether. Can anyone shed any light on this? Any help is apreciated!

 

[GoKings]

You can change the password on the mailbox 0 to have up to... I think it is still at 14 digits. I think that someone would have a real tough time cracking that password. There really isn't a way to prevent outside callers from having access to this mailbox if they have the password. Unfortunately, the mailbox cannot be changed either.

 

[Mongo5150]

Someone wouldnt be able tyo accidently check mail for mailbox 0. UNLESS they pressed *7 and then logged into the admin mailbox. If you are concerned, change the password frequently and write it down.

 

[mikestl]

Thanks for your replies! I understand that you can set a password up to like mentioned something like 14 digits which is a really secure password length.

What I am concerned about however, is that there is a method of bypassing the administrator by use of a special code that avaya put in that is actually LESS than the 6 digits that they reccomend you set the password to (talk about do as I say not as I do). I have checked this method and it works. I can access my company's voicemail administration with it by remote no matter if I have the password or not. It is a code that works on all merlin messaging systems as far as I know and its not serial number specific. I don't want to post this code because that would be contributing to the problem. I didn't want to come right out and mention the existance of a code in the first post becuase I figured that would contribute to it as well. To me it seems similar to putting a really fancy tough to get into lock on your home and then having the lock manfacturer leave a key for it under the doormat. I can understand the critical need to put some method in to reset a system with a lost password. However, I think it should be a method that requires a person to be at the physical site, like a reset button on the module. Either that or it should require some information specific to the module like a serial number or other unique number.

What it seems like really needs to be done is a firmware update by avaya that would make this backdoor code unusable for customers that wish to have it disabled. Maybe I should request to them in writing to do this.

 

[Mongo5150]

Well, that is a backdoor that Avaya/Lucent had put in so when the site administrators lost theirs, avaya could charge you $100 to get in and reset it.

 

[mikestl]

Yeah that is kinda what I figured it was for. Gotta love when security is compromised in the interest of financial gain. I talked to Avaya tech support and they seemed shocked that I knew that code. However I didn't really get a feeling they were going to do much about patching it or rethinking if it should be there. I would think if backdoor codes like this were put into operating systems (for example Microsoft putting in a backdoor in Windows where they can reset passwords) people would be outraged. I suppose phone systems are a whole different animal though.

It seems the only way to force avaya to fix the problem would be to go post the backdoor code all over usenet, hacker/phreaker boards etc. However I don't really beleive in using such guerilla tactics. Plus Avaya would probably have me sued, arrested, rubbed out, etc. Ah well I'm off my soapbox. maybe I should switch to decaf and put down the merlin magix manuals for a while.

P.S. This site is great. So many helpful people. It has really helped in learning how this system ticks