The Dangers of Out-of-Office Auto-Reply Messages

You never know who you're replying to

Envelopes
Alengo/E+/Getty Images

So, you're headed off on a business trip. You've got your plane tickets, hotel reservations, and everything is good to go. Only one thing left to do, it's time to set your Outlook Out-of-Office Auto-Reply message so that clients or coworkers e-mailing you will know how to contact you while you're away, or will know who they can contact during your absence.

Seems like the responsible thing to do, right?

Wrong! Out-of-Office Auto-replies can be a huge security risk.

Out-of-Office replies can potentially reveal a huge amount of sensitive data about you to anyone who happens to e-mail you while you're away.

Here's an Example of a Common Out-of-office Reply:

"I will be out of the office at the XYZ conference in Burlington Vermont during the week of June 1-7. If you need any help with invoice-related issues during this time, please contact my supervisor, Joe Somebody at 555-1212. If you need to reach me during my absence you can reach me on my cell at 555-1011.

Bill Smith - VP of Operations - Widget Corp
Smithb@widgetcorp.dom
555-7252"

While the message above is helpful, it may also be harmful because, in a couple of short sentences, the person in the e-mail above revealed some incredibly useful information about himself. This information could be used by criminals for social engineering attacks.

The example out-of-office reply above provides an attacker with:

Current Location Information

Revealing your location aids attackers in knowing where you are and where you aren't. If you say you're in Vermont, then they know that you aren't at your home in Virginia. This would be a great time to rob you. If you said you were at the XYZ conference (as Bill did), then they know where to look for you.

They also know that you're not in your office and that they might be able to talk their way into your office saying something like:

"Bill told me to pick up the XYZ report. He said it was on his desk. Do you mind if I pop in his office and grab it." A busy secretary might just let a stranger into Bill's office if the story seems plausible.

Contact information

The contact information that Bill revealed in his out-of-office reply may help scammers piece together elements needed for identity theft. They now have his e-mail address, his work and cell numbers, and his supervisor's contact info as well.

When someone sends Bill a message while his auto-reply is turned on, his e-mail server will send the auto-reply back to them, which in-effect confirms Bill's e-mail address as a valid working address. E-mail Spammers love getting confirmation that their spam reached a real live target. Bill's address will likely now be added to other spam lists as a confirmed hit.

Place of employment, job title, line of work, and chain of command

Your signature block often provides your job title, the name of the company you work for (which also reveals what type of work you do), your e-mail, and your phone and fax numbers.

If you added "while I'm out please contact my supervisor, Joe Somebody" then you just revealed your reporting structure and your chain of command as well.

Social engineers could use this information for impersonation attack scenarios. For instance, they could call your company's HR department pretending to be your boss and say "This is Joe Somebody. Bill Smith is off on a trip and I need his Employee ID and Social Security Number so I can correct his company tax forms "

Some Out-of-Office message setups allow you to restrict the reply so that it only goes to members of your host e-mail domain, but most people have clients and customers outside of the hosting domain so this feature won't help them.

How can you create a safer out-of-office auto-reply message?

1. Be intentionally vague

Instead of saying that you will be somewhere else, say that you will be "unavailable". Unavailable could mean you are still in town or in the office taking a training class. It helps keep the bad guys from knowing where you really are.

2. Don't provide contact info

Don't give out phone numbers or e-mails. Tell them that you will be monitoring your e-mail account should they need to contact you.

3. Leave out all personal information and remove your signature block

Remember that complete strangers and possibly scammers and spammers may see your auto-reply. If you wouldn't normally give this info to strangers, don't put it in your auto-reply.

Just a note to my readers, I will be in Disney World all next week, but you can reach me by carrier pigeon (just kidding about the Disney World part).