Out of Office (OoO) automatic replies to incoming emails are a menace to mailing lists and can cause security issues, primarily disclosure of sensitive information. It is quite common for those going on vacation or traveling on business to want to tell other people that they are not around to respond to inbound emails, and it is quite easy for end users to configure OoO replies themselves. Unfortunately, OoO information is of interest to spammers and social engineers as well as legitimate email correspondents. ‘As I will be away from the office from date1 to date2, please address your queries to XXX@company.com or phone (123) 456 789. John Doe, Security Manager’, for example, gives away quite a lot of useful information unnecessarily. Advice on how to configure email systems for OoO replies is given in this IETF draft proposal (an incomplete work-in-progress but well worth a read). As so often in information security, the technical controls should be complemented by suitable policies, procedures and awareness of this issue.
More email security resources