Problem solve Get help with specific problems with your technologies, process and projects.

Out-of-office messages: A security hazard?

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard for a number of reasons. Should organizations prohibit the use of out-of-office messages? Serdar Yegulalp explains the potential risks.

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny...

as a possible security hazard.

It may seem absurd at first, but there are a number of fairly legitimate reasons why out-of-office messages might pose a hazard. (These may vary in validity depending on conditions at your workplace.)

  1. Fuel for dictionary attacks: If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is good, and a spammer could add that to a list of known-valid addresses for future spamming runs.

  2. Awareness of physical absence: If you run a small business or home office, this tips someone off to the possibility that you may not be physically there. This may sound paranoid, but it's entirely possible that if someone wanted to break into your office (or even your home), they could use this as evidence that you aren't around and take advantage of that.

    Larger businesses might not need to be as concerned about this particular issue unless their existing security isn't up to snuff. That said, I personally know of at least one incident where someone was able to gain access to a person's office by posing as a spouse, thanks to a too-friendly receptionist. The incident was benign, but someone with less than the best of intentions could also have taken advantage of this situation.

  3. Social engineering attacks: Out-of-office messages with too much detail can give an outsider that much more leverage to perform "social engineering," -- i.e., penetrate the security of an organization by working through people and exploiting their gullibility. For instance, out-of-office messages with phone numbers could potentially be exploited through social engineering methods.

  4. Message-looping issues: Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.

Some organizations now administratively prohibit the use of out-of-office auto-replies for the above reasons. This can be done a number of ways; the most common and easiest is usually to administratively disable auto-reply and auto-forward to the Internet (via the Internet Mail Connector). The default setting for auto-reply is disabled.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

This tip originally appeared on

This was last published in May 2006

Dig Deeper on Emerging cyberattacks and threats