Problem solve Get help with specific problems with your technologies, process and projects.

Are out-of-office messages a security hazard?

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard. In this tip, contributor Serdar Yegulalp explains the potential risks.

Please let others know how useful this tip is via the rating scale at the end of it. Do you have a useful Exchange or Outlook tip, timesaver or workaround to share? Submit it to If we publish it, we'll send you a nifty thank-you gift.

Automatically generated out-of-office messages, like the kind created by Microsoft Outlook, have come under scrutiny as a possible security hazard.

It may seem absurd at first, but there are a number of fairly legitimate reasons why out-of-office messages might pose a hazard. (These may vary in validity depending on conditions at your workplace.)

  1. Fuel for dictionary attacks: If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is good, and a spammer could add that to a list of known-valid addresses for future spamming runs.

  2. Awareness of physical absence: If you run a small business or home office, this tips someone off to the possibility that you may not be physically there. This may sound paranoid, but it's entirely possible that if someone wanted to break into your office (or even your home), they could use this as evidence that you aren't around and take advantage of that.

    Larger businesses might not need to be as concerned about this particular issue unless their existing security isn't up to snuff. That said, I personally know of at least one incident where someone was able to gain access to a person's office by posing as a spouse, thanks to a too-friendly receptionist. The incident was benign, but someone with less than the best of intentions could also have taken advantage of this situation.

  3. Social engineering attacks: Out-of-office messages with too much detail can give an outsider that much more leverage to perform "social engineering," -- i.e., penetrate the security of an organization by working through people and exploiting their gullibility. For instance, out-of-office messages with phone numbers could potentially be exploited through social engineering methods.

  4. Message-looping issues: Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.

Some organizations now administratively prohibit the use of out-of-office auto-replies for the above reasons. This can be done a number of ways; the most common and easiest is usually to administratively disable auto-reply and auto-forward to the Internet (via the Internet Mail Connector). The default setting for auto-reply is disabled.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter.

Do you have comments on this tip? Let us know.

Related information from

  • Tip: Selectively suppress out-of-office replies with SelectiveOOF
  • E-mail Security School: Locking down Exchange Server
  • Learning Guide: How to fight spam on Exchange Server
  • Reference Center: Exchange Server security tips and resources
  • Dig Deeper on Microsoft messaging and collaboration services

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.