Out of Office

Are out of office (OOF) messages a security risk or a useful tool?   (Microsoft uses the acronym OOF for Out of Facilitiy.   I’ll be using that rather than OoO for out of office).

I’ve felt that the anti-OOF forces are the kind of ludite people who still agitate for a return to text only email.  Rather than dismissing it out of hand, lets examine some of the objections to OOF

Out of office messages could inadvertently disclose information.  “I’m out of the office, check with Joe at 555-12324.   Now the bad guy has another contact name.   In this era of LinkedIn, I’m not sure how big a disclosure this would be.  You decide for your environment.

OOF messages could verify your email address to spammers.
 Your spam product and Mail server should be blocking directory harvest attacks at the gateway. I wonder if its still true that “verified” email address are more value to attackers. Either way, my spam filter prevents spam from reaching my inbox any way.

OOF messages could help an attacker engage in social engineering
Now that the bad guy knows Joe is the backup, they know he may not know procedure as well. “Roger let me do that”. Personally I think that is a problem with training not OOF.

OOF messages could alert an attacker that its time to break into your home.
While there are stories about burglaries when someone posted their vacation schedule on Twitter, that is often neighborhood kids and people you know. Not using an OOF doesn’t exactly help there. 

Now that we’ve gone through some OOF FUD, how can you OOF safely?
1.  If you’re running Exchange 2007 or later you have the ability to use a different message for internal senders and contacts versus external senders.  You can also perform OOF only for people in your contacts.

2.  Sign off of any mailing lists or set them to “no mail” where possible. You don’t need to be annoying the list with your out of office notes.   I think this is the real root of the anti-OOF forces, annoyance with mailing list OOF backscatter.

3.  The less said the better.

At work, you kind of need to let people know you wont be getting back to them for a while.   There may be a few businesses (e.g. financial) where the risk does outweigh the courtesy.   For most of us I think a OOF on the work email account isn’t the end of the world.

“Best Practices” are for people who cannot perform a risk analysis.   You’ll need to consider the risk environment and decide whether OOF is appropriate.