The Perils Of AutoResponse

Be careful what you put in your email auto response when you head off on holiday/maternity leave/business trip. Anyone can read it.

One of the the things that came out of Daniel McNamara’s travails at Code Fish was that, by having phishers put his name in the from field of one of their attacks he got swamped by bounce-back emails that didn’t reach their destination. This is part of the Internet email system where a server will return anything it can’t pass on.

But among those bounce-backs are emails from legitimate addresses where the recipients have automated some sort of response, usually stored on the server, that will send a message back to the sender, informing them they’re out of the office. It’s these emails that are a problem.

I haven’t heard it happening yet, but I’m sure it will. Daniel says a lot of those autoresponses contained a lot of surprising personal information that would be very handy to someone somewhere. Who to call, where that person will be, when they’ll be back. Daniel says some of the messages are surprisingly informative, ranging from the person’s full-name and workplace, through details of injuries incurred that are keeping the person in question at home, to companies using the autoresponse to notify senders that the person in question no longer works there, or, in some cases, has been “fired for misconduct”.

In these days of targetted phishing this is an invitation to social engineering of a high order. All a phisher would need to do is flood a company with emails, either guessing the email addresses, using a dictionary attack (where practically every word in the dictionary and English language is used) or else grabbing names from the company directory online. If a dozen people have autoresponds on, the information gained could easily facilitate a socially engineered attack on the company as a whole.

My advice: Assume that sleazy folk can read your autorespond messages and ask yourself whether you want to share that kind of information with them. Then either rewrite the autorespond message, or better still, don’t use one at all.