I received an email the other day that was sent to a distribution list to which I belong. Since membership is tightly controlled, and we’re all professionals who have opted-in and agreed to ‘obey the rules’ of this distribution list, emails that are sent to the d/l are automatically sent out to all subscribers. I don’t manage the list myself, but I am told there are over 1000 members from companies and government agencies all over the world. Keeping that in mind, imagine my shock when, following a weekly announcement email, I (and presumably the other 1000+ members) all received an OOF message from one of the other members. This OOF detailed the person’s travel itinerary in detail and included alternate contacts that should be used in an emergency, and while I have a reasonable trust in most people, this particular d/l is a security d/l and I am sure it has its fair share of black hats as well as white.

Out of Office responses, often called OOFs, are the automatic responses Exchange and other email systems can be configured to send when a user is going to be OOF and receives an email message. The idea is that it informs the sender that the recipient is away, and a reply might be delayed. Frequently, users include way too much other information, especially when these messages are often sent out in reply to any received email message. In the case of the OOF I mentioned above, this user just provided more than enough information to launch a social engineering attack. “Hi John, yeah, it’s Cas. I just got off the phone with Mike. You know he’s travelling to the conference in France, right? Anyway, I need a copy of the TPS reports for the new proposal he’s working on with me, but he’s boarding the plane now and won’t be able to get to his email until he lands. He said you could hook me up though. Can you do me a favour and send those over to me? Yeah, thanks.”

Paul Cunningham wrote a great article last year about how to set up OOF policies on Exchange Server 2010 Out of Office that includes the steps for configuring these policies on the server. If you would like to read the technical hows of managing OOFs, please take a look at his post. What I want to talk about are some guidelines you should consider when dealing with OOF messages overall.

We want to look at OOF messages from a security point of view, and ensure that our users avoid providing TMI. Use the bullet points below as a starting point, and adjust them up or down as necessary to fit your particular business needs. Not all of these will work for you, but all of these should be considered to make sure that what you are doing with OOFs makes sense for your business.

Keep in mind that many emails you receive each day do not require a response, and that emails are not as instant a communications channel as IM or telephone calls. Not every email must be answered immediately. As such

• Notify your team and appropriate external contacts, including partners, customers, coworkers and management, before you will be OOF.
• If you are able to review and respond to email messages at least once each business day while you are OOF, do not use an OOF response.
• Messages that cannot be quickly answered can be replied to with a manual OOF message indicating when the sender should expect a full reply, or referring them to your alternate.
• If you must use an automatic OOF message, it should be as generic as possible, and not list specific information about your travel details.
• OOF messages should be restricted so that they are only sent to internal users, or to users on your contact list if absolutely necessary. Distribution lists should not be listed in your contacts. See Paul’s post above for ways to include key business partners when necessary.
• If you must use an OOF, and you provide an alternate contact who is backing you up, make sure they are aware of your plans, and what is appropriate and what is not in response to a request.

Ultimately we want OOFs to support good business relationships but not to provide too much information to potential social engineering attackers, or to fill others’ inboxes with unnecessary noise. At one previous company, I used to have a filter for OOF and “out of office” because I got so many each day, it was easier to just autodelete them than to wade through them. We don’t want to contribute to that kind of situation.

Remember, users can configure OOF messages using Outlook or OWA. Make sure your users know how to do this, as well as what is appropriate for your company, and use OOF messages smartly.

Be Sociable, Share!

•