Are out of office (OOF) messages a security risk? (Microsoft uses the acronym OOF for Out of Facilitiey. I’ll be using that rather than OoO for out of office).
I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email. Maybe I should reconsider.
Out of office messages could inadvertantly disclose information. “I’m out of the office, check with Joe at 555-12324. Now the bad guy has another contact name. In this era of LinkedIn, I’m not sure how big a disclosure this would be. You decide for your environment.
OOF messages could verify your email address to spammers.
Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.
OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.
OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there.
Now that we’ve gone through some OOF FUD, how can you OOF safely?
1. If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.
2. Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes. I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.
3. The less said the better.
At work, you kind of need to let people know you wont be getting back to them for a while. There may be a few businesses (e.g. financial) where the risk does outway the courtesy. But for most of us I think a OOF on the work email account isn’t the end of the world.
Like most security policies there is no such thing as a best practice. There is a reasoned consideration of the risks compared with the business need or desired outcome.
Go to Source