Friday, June 29, 2007

Turning OOF messages on the Exchange server is a bad idea for several reasons




OOF messages reply to spam. And most OOF messages have an email address of a coworker or personal information may be exploiting by spammer for social engineering. This increases spam, which causes employees to waste their time to deal with junk mail. Many list serves and mailing lists will auto subscribe you from their newsletters and lists when they receive an OOF message. When Out of Office is enabled, only one reply is sent to each sender, even if you receive multiple messages from that person (http://support.microsoft.com/default.aspx?scid=kb;EN-US;157961

The Out of Office Assistant sends an automatic reply to notify users who send you messages that you are away from the office. Your reply is only sent once to a message sender. This is reset when you toggle the Out of Office in the client. In other words, Microsoft Exchange clears the internal "sent o" list when you disable the Out of Office that is currently enabled.

If you would like to have a reply sent for every message, use Inbox Rules instead of Out of Office.

Risks involved if the mail loop occurs

Mail looping incidents involving huge number of mail messages flooding user mailboxes
conceivably it could fill all available disks on the Exchange server. Especially in a larger enterprise environment the damage can be significant. The result may cause space reduction on the hard drive and cause the server to shut down. OOA could be exploited as a denial of service attack if automatic replies to the internet. If a spammer tries to use dictionary attacks (randomly-generated e-mail names) on an organization, an out-of-office reply is proof that a given address is valid, and a spammer could add that to a list of known-valid addresses for future spamming runs. This will let the Spam mail come into the corporate network. The impact might be severe if valid DL (distribution List) gets exposed to the spammers.

Generally, a properly-managed e-mail system should not have message-looping issues, since Microsoft Outlook Out of Office is set to fire only once per sender. However, your Exchange server's interactions with other e-mail systems, such as some fax clients, can cause mail loops. This is a rare occurrence, but it's been known to happen.

Best,

Oz Ozugurlu

1 comment:

Oz Ozugurlu said...

I have also identified some undocumented looping scenario with mail enabled public folders and could not locate any information regarding to this particular concern, rather than information I have gathered from fellow exchange administrators.