The Autorespond Trap

By | August 18, 2006

I’ve written before about the general dodginess of “away notification emails” automatically set up to respond to incoming emails. Such messages usually go along the lines of:

I will be out of the office from 12/08/2006 to 13/08/2006 hunting gazelle in the Liposuction Basin.

For urgent matters, pl contact Ms Elbowgrinder/ Mr Headstrong at Tel 689023 during office hours.

Why are these a bad idea? Well, you’re basically broadcasting to anyone who sends you an email that you’re

  • on vacation, and therefore leaving a presumably empty house
  • details of when they won’t be around
  • giving large amounts of useful information to identity thieves or social engineers wanting to steal your password
  • clogging up people’s inboxes with more information than they are likely to need (if they don’t know you’re on holiday you’re probably not that close).

Anyway, I couldn’t help but be amused by a recent announcement on a security mailing list (which shall remain nameless; I don’t want to compromise security further) which prompted more than 30 autorespond messages informing senders that the recipients were on holiday/maternity leave/trips/the moon. Leaving aside the security lapse that allowed such messages to go to all recipients of the mailing list, I was surprised that these people, all of them apparently in the security field and in government, were broadcasting their movements and absence from the office. Who’s to stop someone from using this information to call up their secretary/stand-in and socially engineering their way into some lucrative information? My advice: Don’t use these autoresponds unless you don’t mind telling all and sundry about your movements.

Oh, the original mailing list email that prompted this deluge of autoresponds was one announcing details of an upcoming information security & hacking conference. No, I’m not going to say which.

5 thoughts on “The Autorespond Trap

  1. nightingaleshiraz

    wow. all great points — and i’ve linked to this on my site, because as you’ll see, it got me thinking…

    the part i have trouble with though, is what’s the alternative? i still think it’s unprofessional to leave potential clients (or worse — current ones) hanging / wondering if you’re ignoring them. and an autoresponder still suggests a level of professionalism and accountability (well — maybe only because of the empty promise of an “i will get back to you upon my return”)…

    but at the same time — you’re totally right that it’s dumb to tell a potentially infinite group of unknown people that you’re not doing your job (especially if it’s something like security), or that you’re not at home…

  2. wicak

    well then i think the notification should be targeted. i.e. do not broadcast to all, but to key people only, or just to people in your contact list. i know this doesnt solve prospective clients (for those in the sales world), but it might help others.

  3. Dan

    This is hilarious and, sadly, something I’ve never given much thought to. I think I’m going to do away with the away message…or maybe I’ll just insert completely erroneous information to throw off the would-be hackers and cat burglars.

  4. Mark

    As per Dan’s idea, I’m reminded of the character in Catch-22, Major Major.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.