Out-of-office messages: A security hazard?

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard.

It may seem absurd at first, but there are a number of fairly legitimate reasons why out-of-office messages might pose a hazard. (These may vary in validity depending on conditions at your workplace.)

1. Fuel for dictionary attacks: If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is good, and a spammer could add that to a list of known-valid addresses for future spamming runs.

2. Awareness of physical absence: If you run a small business or home office, this tips someone off to the possibility that you may not be physically there. This may sound paranoid, but it's entirely possible that if someone wanted to break into your office (or even your home), they could use this as evidence that you aren't around and take advantage of that.

   Larger businesses might not need to be as concerned about this particular issue unless their existing security isn't up to snuff. That said, I personally know of at least one incident where someone was able to gain access to a person's office by posing as a spouse, thanks to a too-friendly receptionist. The incident was benign, but someone with less than the best of intentions could also have taken advantage of this situation.

3. Social engineering attacks: Out-of-office messages with too much detail can give an outsider that much more leverage to perform "social engineering," -- i.e., penetrate the security of an organization by working through people and exploiting their gullibility. For instance, out-of-office messages with phone numbers could potentially be exploited through social engineering methods.

4. Message-looping issues: Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.

Some organizations now administratively prohibit the use of out-of-office auto-replies for the above reasons. This can be done a number of ways; the most common and easiest is usually to administratively disable auto-reply and auto-forward to the Internet (via the Internet Mail Connector). The default setting for auto-reply is disabled.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

This tip originally appeared on SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Emerging Information Security Threats,   Application and Platform Security,   Email Protection,   Email Security Guidelines, Encryption and Appliances,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Emerging Information Security Threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.