Tip

Are out-of-office messages a security hazard?

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to SearchExchange.com. If we publish

    Requires Free Membership to View

it, we'll send you a nifty thank-you gift.

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard.

It may seem absurd at first, but there are a number of fairly legitimate reasons why out-of-office messages might pose a hazard. (These may vary in validity depending on conditions at your workplace.)

  1. Fuel for dictionary attacks: If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is good, and a spammer could add that to a list of known-valid addresses for future spamming runs.

  2. Awareness of physical absence: If you run a small business or home office, this tips someone off to the possibility that you may not be physically there. This may sound paranoid, but it's entirely possible that if someone wanted to break into your office (or even your home), they could use this as evidence that you aren't around and take advantage of that.

    Larger businesses might not need to be as concerned about this particular issue unless their existing security isn't up to snuff. That said, I personally know of at least one incident where someone was able to gain access to a person's office by posing as a spouse, thanks to a too-friendly receptionist. The incident was benign, but someone with less than the best of intentions could also have taken advantage of this situation.

  3. Social engineering attacks: Out-of-office messages with too much detail can give an outsider that much more leverage to perform "social engineering," -- i.e., penetrate the security of an organization by working through people and exploiting their gullibility. For instance, out-of-office messages with phone numbers could potentially be exploited through social engineering methods.

  4. Message-looping issues: Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.

Some organizations now administratively prohibit the use of out-of-office auto-replies for the above reasons. This can be done a number of ways; the most common and easiest is usually to administratively disable auto-reply and auto-forward to the Internet (via the Internet Mail Connector). The default setting for auto-reply is disabled.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

Do you have comments on this tip? Let us know.

Related information from SearchExchange.com:

  • Tip: Selectively suppress out-of-office replies with SelectiveOOF
  • E-mail Security School: Locking down Exchange Server
  • Learning Guide: How to fight spam on Exchange Server
  • Reference Center: Exchange Server security tips and resources

    This was first published in May 2006

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.