The Autorespond Trap

I’ve written before about the general dodginess of “away notification emails” automatically set up to respond to incoming emails. Such messages usually go along the lines of:

I will be out of the office from 12/08/2006 to 13/08/2006 hunting gazelle in the Liposuction Basin.

For urgent matters, pl contact Ms Elbowgrinder/ Mr Headstrong at Tel 689023 during office hours.

Why are these a bad idea? Well, you’re basically broadcasting to anyone who sends you an email that you’re

  • on vacation, and therefore leaving a presumably empty house
  • details of when they won’t be around
  • giving large amounts of useful information to identity thieves or social engineers wanting to steal your password
  • clogging up people’s inboxes with more information than they are likely to need (if they don’t know you’re on holiday you’re probably not that close).

Anyway, I couldn’t help but be amused by a recent announcement on a security mailing list (which shall remain nameless; I don’t want to compromise security further) which prompted more than 30 autorespond messages informing senders that the recipients were on holiday/maternity leave/trips/the moon. Leaving aside the security lapse that allowed such messages to go to all recipients of the mailing list, I was surprised that these people, all of them apparently in the security field and in government, were broadcasting their movements and absence from the office. Who’s to stop someone from using this information to call up their secretary/stand-in and socially engineering their way into some lucrative information? My advice: Don’t use these autoresponds unless you don’t mind telling all and sundry about your movements.

Oh, the original mailing list email that prompted this deluge of autoresponds was one announcing details of an upcoming information security & hacking conference. No, I’m not going to say which.

18. August 2006 by jeremy
Categories: Privacy, Security | Tags: , , , , , , , | 5 comments

Comments (5)

  1. wow. all great points — and i’ve linked to this on my site, because as you’ll see, it got me thinking…

    the part i have trouble with though, is what’s the alternative? i still think it’s unprofessional to leave potential clients (or worse — current ones) hanging / wondering if you’re ignoring them. and an autoresponder still suggests a level of professionalism and accountability (well — maybe only because of the empty promise of an “i will get back to you upon my return”)…

    but at the same time — you’re totally right that it’s dumb to tell a potentially infinite group of unknown people that you’re not doing your job (especially if it’s something like security), or that you’re not at home…

  2. well then i think the notification should be targeted. i.e. do not broadcast to all, but to key people only, or just to people in your contact list. i know this doesnt solve prospective clients (for those in the sales world), but it might help others.
    cheers.

  3. This is hilarious and, sadly, something I’ve never given much thought to. I think I’m going to do away with the away message…or maybe I’ll just insert completely erroneous information to throw off the would-be hackers and cat burglars.

  4. As per Dan’s idea, I’m reminded of the character in Catch-22, Major Major.

  5. to protect our privacy, we should own our security software!

    http://www.shareware123.com/utility/security_encryption/index_24.htm