Beware of The Away Message

By | October 8, 2008

By Jeremy Wagstaff

There are few things more exhilarating, I suspect, than being able to set your email account to respond with an automated message that says: “I’m on holiday. I won’t be answering your email for a while. I’m going on holiday to Barbados, and Bob Loser, my colleague, is covering for me, so call him on +1–723–7893–782. Have a nice day.”

This may feel good but it’s not always a good thing to do. Here’s why.

These auto-respond messages will be sent to anyone—anyone—that sends you an email. And that means spammers, scammers and other people who may not be your friends. Do you tell everyone in your neighborhood that you’re going away? Probably not. So why would you tell anyone who happens to send you an email?

Let’s take a real world example: A security expert I know found himself on the receiving end of a revenge attack by scammers he’d been trying to put out of business. To get payback they put his name and email address on a forged email that itself looked like a scam. The expert’s email in-box was deluged with bounce-backs—emails sent to addresses that don’t exist, or don’t exist anymore—and angry emails from those who believed he had suddenly switched sides and was now in the scamming game.

But what he also found was that he was receiving dozens, if not hundreds, of emails from addresses where the recipients have automated some sort of response informing the sender they’re out of the office. A lot of those auto-responses contained surprisingly personal information that would be very handy to someone somewhere: Who to call, where that person will be, when they’ll be back.

And not just that: the person’s full-name and workplace, details of injuries incurred that are keeping the person in question at home and companies notifying senders that the person in question no longer works there. In one case the auto-respond said the intended recipient of the email had been fired for misconduct.

So why is this a problem? Two words: social engineering. Social engineering is when a scammer uses our social habits to engineer a way past our defenses: calling up the overworked tech department, say, pretending to be a staff member who’s forgotten his password, or calling the switchboard to find out the boss’ birthday—a clue, perhaps, to her password— pretending to be a boyfriend.

In the case of the away message, all a bad guy would need to do is flood a company with emails, either guessing the email addresses, using a dictionary attack (where practically every word in the dictionary and English language is used) or else grabbing names from an online company directory. If a dozen people have auto-responds on, the information gained would be enough for a socially engineered attack on the company as a whole.

It needn’t be this sophisticated. If you send an auto-respond message saying you’re not going to be at work for the next few weeks, someone might decide that information is worth passing on to the local cat-burglar or someone at a rival company hoping to steal your customers.

Of course, this sort of lapse happens in the real world too, which should remind us how careless we tend to be. David Weinberger, a technology writer and consultant, pointed out on his blog recently that we’re quite happy about leaving signs on our hotel room door when we go out for the day:

“Often, on the back of a ‘Do Not Disturb’ sign is a ‘Make Up My Room Now’ message of some sort,” he wrote.  “But, now matter how they phrase it, isn’t it the same as an “I’m Out, So This Would Be a Good to Rob Me, Especially If You Are Squeamish about Violence” sign?”

This is part of a bigger problem we’re all going to have to wrestle with. As we use online services like Facebook and twitter more and more—updating our friends with our moods, our location, our activities—our privacy is going to be compromised.

Some of us don’t mind this. It’s nice to share information with friends. But what we tend to forget is that, once digital, this information is more readily accessible, and movable, than it was before. Clever scammers—and not so clever—can piece together these bits of information to use against us in ways we have not yet fully thought through.

Take twitter, for example. It’s a great service: free, and designed to allow those of us who want to share with our friends what we’re doing, in 140 character bursts. It’s very popular: According to a web-site called TwitDir ( which lists all twitter users who allow their updates to be public, there are more than three million users.

And that’s the thing. The default setting—the way things are configured when you sign up—your tweets, as your updates are called, can be seen by anyone. Anyone can ‘follow’ you—meaning they can track all your updates, without asking you permission first.  In short, anyone on the Internet can, in theory, stalk you.

OK, now I know that I’ve said twitter is a good thing. It is. And so is Facebook. All these services allow us to connect with people—friends in real life, friends we know only online. But we need to be smart about how we use them.

If you use twitter, check to see who is ‘following’ you and if you don’t recognize them, challenge them or block them. The same goes for things like Facebook. Don’t just accept anyone who asks as your ‘friend’, and if you can’t bring yourself to say no, limit what they can see of your details. (The default on Plurk, another popular service in Asia, allows only your friends can see your updates.)

And, lastly, be smart about what you put online—whether it’s a twitter update, a Facebook moan about your boss or in your email auto-respond message. If you can’t decide where to draw the line, just think of the sleaziest person you know, and ask yourself: Do I feel happy sharing this information with them?

I leave it to you to decide whether to boycott the “Please make up room” signs on your hotel room door.

Jeremy Wagstaff is a commentator on technology and appears regularly on the BBC World Service. He can be found online at or via email at