<div class='os_post_top_link'><a href='http://searchexchange.techtarget.com/tip/1,289483,sid43_gci1187498,00.html?track=NL-362&ad=551208' target='_blank'>http://searchexchange.techtarget.co...L-362&ad=551208</a><br /><br /></div><i>"Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard. It may seem absurd at first, but there are a number of fairly legitimate reasons why out-of-office messages might pose a hazard. (These may vary in validity depending on conditions at your workplace.) "</i><br /><br />This short piece brings up a few valid points about why out-of-office messages are probably best to be avoided. I've personally seen some really horrible things happen as a result of auto-responses in general (i.e. I had a client set up an autoresponder on a spam-laden email box that said "This email will not be read, if you need to email us, contact [email protected]" - not only did this clutter up my server's mail queue with undeliverable messages, it also gave any spammer with a legit address a valid email - [email protected]!). So beware of using that out-of-office feature - and if you do use it, use it wisely ;)

I believe the Exchange Administrator can setup that autoresponse only occurs within its domain and won't be sent across the internet.

My last job did this somehow, it was great because you could set it up for the internal business to know who to contact if there is a problem but not respond to internet.

You can also, via an outlook rule, set it up so it only responds to those in your contacts and GAL only.

These are all good things to do for no other reason then you don't want to autorespond to a spam.

I never looked at it as a security issue. Their first reason is invalid. Most systems return the email if the address is invalid, so if someone wants a dictionary attack on valid addresses, just keep sending emails until they don't bounce. Out of office notice or not, a non-bouncing email means it hit a valid address.

The looping concern is amusing. When we first got our system up and running on Exchange 5.5, we didn't have OWA installed, so unless you had a laptop and modem, you couldn't dial in and check emails. One user had all his forwarded to his hotmail account. That was ok until he got a 4MB attachment. It got sent to his hotmail account, which returned the whole message with the attachment, which his rule promptly forwarded to his hotmail account, which returned the message, which... well, you can see where this is going. Fortunately it was a week day and I noticed the server hard drive space was slowly being eaten away. :mrgreen: Has nothing to do with the Out of office reply, but he was out of the office, so sort of relavent. :wink:

All that said, I turned off Out of Office replies for external addresses for several other reasons.
• It is unprofessional today. There is no excuse for not either checking your own emails when out or having someone else checking them in your absense.
• It is a perfect way for spammers to harvest addresses. A bounced email never gets you removed from the spammers email system, and a non-bounced message is meaningless, but a reply is a sure-fire way to be validated.

Exchange comes with this disabled, and it is a good idea. I used to enable it until the spam problem got so bad. :?

I just can't persuade my father-in-law not to put Out-of-Office autoreplies on his home computer when he goes on vacation.

Anybody e-mailing him gets to know exactly how much time they have to come and clean out his house, garage, etc.

This is a basic "come and get it", and the concepts of OPSEC are thrown out the window...

• It is unprofessional today. There is no excuse for not either checking your own emails when out or having someone else checking them in your absense.


I'll have to disagree with blanket statements like the one above, Ed. Many people receive confidential, work-related, emails. Heck, my company even sends an electronic pay stub to my inbox every pay day. That severely restricts the number of people who I would have monitor my inbox while I am out (and they don't have time to monitor my inbox in addition to their own).

In this (my?) case, the best defense is a good offense: people who might need to reach me know where I am going before I leave.

Also - for people internal to my company, I keep my calendar up to date (and viewable), my OOO reply is set, and my cell is in the GAL. On business trips, I do monitor my email, voice mail, and cell phone.

• It is unprofessional today. There is no excuse for not either checking your own emails when out or having someone else checking them in your absense.


I'll have to disagree with blanket statements like the one above, Ed. Many people receive confidential, work-related, emails. Heck, my company even sends an electronic pay stub to my inbox every pay day. That severely restricts the number of people who I would have monitor my inbox while I am out (and they don't have time to monitor my inbox in addition to their own).
But if it is important, then you should make arrangements. And in the case of your paystub (which should be encrypted/password protected anyway - do you trust your email admin to not snoop?), is a reply needed? Either your company puts enough value on your job to give you some form of remote access or they are being unprofessional, and cheap.

And on internal replies, that is no problem as those never leave the LAN anyway. I use those too. I just don't allow OOO replies to leave the domain, for the reasons listed above.

Either your company puts enough value on your job to give you some form of remote access or they are being unprofessional, and cheap.


This is again a blanket statement and very unfair. Many secure government offices allow ZERO remote access, including many military locations.

Also, you assume that many SMB (Small Medium Businesses - which make up 60% of the workforce) have the know how and or funds available to run a full remote access capability.

Many of my Not-for-Profit agency clients wish they could fund or provide this, but its simple economics. We're working on a program of creating the service by pooling resources across three or four agencies. These people would rather spend the $200 a month for services and equipment on a client instead of the service. They understand the ramifications and the benefits. But again, its simple economics. Their limits of Remote Access remains OWA and that's about it and many do not even have that.

All of our fortune 500 customers have minimally OWA, most have dial in, self supported RAS or use a service such as i-Pass. This doesn't mean they manage the security correctly, or block OOO messages across the internet.

Lastly, a good portion of users that are using OOO insecurely are individual email accounts. With the advent of free MSN, Hotmail, AIM, Google, etc mail - most with OOO capabilities - people need to be informed of the risks of blanket OOO replies vs controlled responses.

Either your company puts enough value on your job to give you some form of remote access or they are being unprofessional, and cheap.


This is again a blanket statement and very unfair. Many secure government offices allow ZERO remote access, including many military locations.
BUt it is ok to have out of office replies go out to whomever telling someone that the person in the secure government office is not in? :?:

Also, you assume that many SMB (Small Medium Businesses - which make up 60% of the workforce) have the know how and or funds available to run a full remote access capability.
Nope, but either a SMB has an email server, and they all have remote access capabilities, or they are so small, they use POP3 accounts, and those ALL have remote capabilites, and most have web interfaces. With mail2web, they all do. I am not sure how "remote access" has somehow become equated with "mobile device access" in this thread.

All of our fortune 500 customers have minimally OWA, most have dial in, self supported RAS or use a service such as i-Pass. This doesn't mean they manage the security correctly, or block OOO messages across the internet.
You seriously expect me to believe that any F500 company is so incompetent at IT that they can't do very basic email admin? Come on... someone is stretching here... :roll:

Lastly, a good portion of users that are using OOO insecurely are individual email accounts. With the advent of free MSN, Hotmail, AIM, Google, etc mail - most with OOO capabilities - people need to be informed of the risks of blanket OOO replies vs controlled responses.
Hence, my labeling this practice unprofessional. Anyone in business with us that contacts me via a hotmail, yahoo or any other free account like that immediately goes down several notches in my book. It is incredibly cheap and easy to get your own domain with Yahoo. Anyone in business, small single user, not professional enough to do something as basic as that is not, IMO, professional at all. I'd also expect to get a Christmas card from such an indivudual printed off of their color inkjet and folded 4 times to look like a greeting card.

Its best I moved this topic to unwatched.

Because most of that is not real world response. And is painting with a single brush and a single color.

Having Exchange in office does not equate to remote access capable. A car can move but it can't without gas. Exchange to a non-profit is actually pretty inexpensive under MS's nonprofit licensing - remote access is not.

If you actually belive that Fortune 500's all have great security, awesome IT departments and such, you are out of touch. I know a major national bank that has open remote access for staff, and a single layer of firewalls. They've been dinged in report after report - they're idiots and eventually will be busted - doesn't mean they do IT right just because they are Fortune 500. As to a good email admin - laugh- There is a major wireless carrier we all speak of here that has unlimited Exchange Email inboxes for all (thousands) of staff, backups of the server are nearly non-existant and they, with their parent company are worth multibillions.

Jon's original message never mentioned "mobile device access" thus the reason it is in Off-Topic I suspect.

Labeling someone as unprofessional because of the mail they use is also ignorant. I use my Gmail for personal contact to others where I don't want my office or infer my office is involved, this includes to industry executives, vendors and other professionals. I think that is professional, not unprofessional. And I'm an executive and manage a large IT shop and carry a 7 digit budget, with 25 years experience I'm not speaking in a vacuum.

Anyways - unwatched.

Oh and a hand made card whether on inkjet or hand drawn I would think would show more care than a store bought cliche card. But hey, thats just my thought, to each their own.

I never looked at it as a security issue. Their first reason is invalid. Most systems return the email if the address is invalid, so if someone wants a dictionary attack on valid addresses, just keep sending emails until they don't bounce. Out of office notice or not, a non-bouncing email means it hit a valid address.
Not always. I turn off NDRs in Exchange 2003, because often the bounce bounces as well, as the original's email source address was forged, generating more garbage sent to postmaster/Administrator. A OOO is a stronger guarantee of not only a non-invalid email address, but one that someone actually uses to the point of putting an OOO, as opposed to some unattended box of a server without NDRs.

Anyway, I detest OOO messages myself as well. I mail-filter any OOOs sent back to me. Alas, SMBs (including a few that I administer) insist upon it because, apparently, remote people start freaking out if people don't reply to an email within an hour. 8O I've had customers ask me how to set up OOOs that do not only bounce once a day, but rather once per email, because remote parties seem to occasionally miss the OOO! :?

Often the freak-out-ish sources are from large, disorganized companies, and that makes it difficult to notify them. Email-based workflows are often inefficient, and have really led to a lot of sloppiness in corporate communications; OOOs are just one symptom.

--janak