Are out-of-office messages a security hazard?

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish it, we'll send you a nifty thank-you gift.

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard.

It may seem absurd at first, but there are a number of fairly legitimate reasons why out-of-office messages might pose a hazard. (These may vary in validity depending on conditions at your workplace.)

1. Fuel for dictionary attacks: If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is good, and a spammer could add that to a list of known-valid addresses for future spamming runs.

2. Awareness of physical absence: If you run a small business or home office, this tips someone off to the possibility that you may not be physically there. This may sound paranoid, but it's entirely possible that if someone wanted to break into your office (or even your home), they could use this as evidence that you aren't around and take advantage of that.

   Larger businesses might not need to be as concerned about this particular issue unless their existing security isn't up to snuff. That said, I personally know of at least one incident where someone was able to gain access to a person's office by posing as a spouse, thanks to a too-friendly receptionist. The incident was benign, but someone with less than the best of intentions could also have taken advantage of this situation.

3. Social engineering attacks: Out-of-office messages with too much detail can give an outsider that much more leverage to perform "social engineering," -- i.e., penetrate the security of an organization by working through people and exploiting their gullibility. For instance, out-of-office messages with phone numbers could potentially be exploited through social engineering methods.

4. Message-looping issues: Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.

Some ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Exchange Security Tips How to install Forefront Security for Exchange Server Is full email encryption the solution to Exchange security? Lock down direct file access and protect OWA users Controlling spam in Exchange 2007 at the edge transport server level When to use a self-signed certificate with Exchange Server 2007 Obtaining and verifying SSL certificates in Exchange Server How file-level antivirus software can harm your Exchange Server Understanding Exchange Server 2007 SP1 mobile security settings Which ActiveSync authentication method is best for your mobile device? Why you should secure Exchange 2007 using administrative policies Exchange Server Security OWA 'Loading' problems with Internet Explorer security zones New Exchange Server tools named as Products of the Year Beware of bare linefeeds in Exchange Server email Top 10 Exchange Server administration tips of 2006 Enabling protocol logging for Exchange Server Eliminate annoying Microsoft Outlook security warnings with ClickYes Pro Forefront beta secures SharePoint collaboration Dell, Symantec simplify Secure Exchange for SMBs Tutorial: How to determine which ports Exchange Server is using Unsecured devices worry IT professionals Exchange Server Security Research Spam and virus protection How to install Forefront Security for Exchange Server Block Web beacons and protect OWA users from spam Controlling spam in Exchange 2007 at the edge transport server level How file-level antivirus software can harm your Exchange Server Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 Spam and virus protection Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter spam  (SearchExchange.com) greylist  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

organizations now administratively prohibit the use of out-of-office auto-replies for the above reasons. This can be done a number of ways; the most common and easiest is usually to administratively disable auto-reply and auto-forward to the Internet (via the Internet Mail Connector). The default setting for auto-reply is disabled.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

Reference Center: Exchange Server security tips and resources

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.