The Autorespond Trap

I’ve written before about the general dodginess of “away notification emails” automatically set up to respond to incoming emails. Such messages usually go along the lines of:

I will be out of the office from 12/08/2006 to 13/08/2006 hunting gazelle in the Liposuction Basin.

For urgent matters, pl contact Ms Elbowgrinder/ Mr Headstrong at Tel 689023 during office hours.

Why are these a bad idea? Well, you’re basically broadcasting to anyone who sends you an email that you’re

  • on vacation, and therefore leaving a presumably empty house
  • details of when they won’t be around
  • giving large amounts of useful information to identity thieves or social engineers wanting to steal your password
  • clogging up people’s inboxes with more information than they are likely to need (if they don’t know you’re on holiday you’re probably not that close).

Anyway, I couldn’t help but be amused by a recent announcement on a security mailing list (which shall remain nameless; I don’t want to compromise security further) which prompted more than 30 autorespond messages informing senders that the recipients were on holiday/maternity leave/trips/the moon. Leaving aside the security lapse that allowed such messages to go to all recipients of the mailing list, I was surprised that these people, all of them apparently in the security field and in government, were broadcasting their movements and absence from the office. Who’s to stop someone from using this information to call up their secretary/stand-in and socially engineering their way into some lucrative information? My advice: Don’t use these autoresponds unless you don’t mind telling all and sundry about your movements.

Oh, the original mailing list email that prompted this deluge of autoresponds was one announcing details of an upcoming information security & hacking conference. No, I’m not going to say which.

News: Cambodia’s Boiler Room Scammers

Cambodia has repatriated 20 foreigners arrested last week for their involvement in the country’s first telecom scam, CNET reports. They comprised 14 Britons, two Americans and several Australian, New Zealand, Thai and Philippine nationals. Operating out of Cambodia, the group had cold-called people all over the world using cheap Internet phone connections to lure them into investing in the London and Hong Kong stock markets. Cambodian officials said their passport records show they had also worked from neighboring Laos and Thailand.

This confidence trick has since been named “The Boiler Room scam” after a movie of the same name. The show, depicted “fly-by-night stockbrokers involved in shady dealings to rip off investors”, the report said. In the movie, after buyers would be convinced to buy into shakey firms on inflated or made-up claims. Given the number of Brits who call me suggesting I invest in some offshore fund, I’m kinda glad I politely decline them.