Out of the Office Paranoia
January 16, 2005 2:07 PM Subscribe
[OutOfOfficeParanoiaFilter] I am planning a holiday soon and, over a conversation, a friend gave me a cautionary note about not leaving an out of office autoreply on my mail account as it greatly increased the chance of me being burgled. [+]
So I Googled on the subject and found that this seems to have emanated from a December 2002 press release by the Corporate IT Forum (tif.). The whole thing sounds incredibly specious, more like something a company would put out to raise awareness of themselves than anything else. Snopes have an article on the subject and have debunked it, Access Control and Security Systems have it listed as an urban legend, but my friend is insistent that this thing is real - apparently her company also believes this and won't let any external emails be auto-replied to, which seems crazy.
Fellow MeFites, are you aware of any cases where people have been burgled because of an OOO auto-reply? Can I rest easy when I'm away or should I build 20 feet-deep electrified moat around my property? How do you handle your email when away for a week or two?
So I Googled on the subject and found that this seems to have emanated from a December 2002 press release by the Corporate IT Forum (tif.). The whole thing sounds incredibly specious, more like something a company would put out to raise awareness of themselves than anything else. Snopes have an article on the subject and have debunked it, Access Control and Security Systems have it listed as an urban legend, but my friend is insistent that this thing is real - apparently her company also believes this and won't let any external emails be auto-replied to, which seems crazy.
Fellow MeFites, are you aware of any cases where people have been burgled because of an OOO auto-reply? Can I rest easy when I'm away or should I build 20 feet-deep electrified moat around my property? How do you handle your email when away for a week or two?
I think that this would be something that you wouldn't want to do if you're someone with a high profile ... i.e. you live in a very nice neighbourhood, you're someone who's known to make a lot of money or to have something highly desireable and collectable that's easily stolen and fenced, ... but in general, I think it's a bunch of bunk if you're an everyday shmuck like me. Someone would have to be stalking you and preparing to burgle you, and quite honestly, there's nothing in my apartment that's really worth spending a week figuring out where I work and then calling or emailing my work email address frequently enough to make it matter.
posted by SpecialK at 2:27 PM on January 16, 2005
posted by SpecialK at 2:27 PM on January 16, 2005
While I want to say this is a total urban legend, I do have to say that my home has been broken into twice by people who I did business with. That said, I don't think email is going to make one bit of a difference. It's very easy to know if you are home or not, email is not even in the top 100.
posted by sled at 2:43 PM on January 16, 2005
posted by sled at 2:43 PM on January 16, 2005
Sort of on-topic, but we have a company policy that prohibits sending out-of-office replies to anyone outside the organization. This is because bad guys with agendas can use that information to glean inside knowledge of corporate structure ("I'm out of the office, but for accounts receivable, please contact Joe Smith at x3865").
It's also a bad idea if you're subscribed to mailing lists, since nobody on those lists needs to know (or probably cares that) you're out.
posted by aberrant at 3:01 PM on January 16, 2005
It's also a bad idea if you're subscribed to mailing lists, since nobody on those lists needs to know (or probably cares that) you're out.
posted by aberrant at 3:01 PM on January 16, 2005
I have to say that I am more annoyed by OOO replies than they have ever helped me.
posted by grouse at 3:39 PM on January 16, 2005
posted by grouse at 3:39 PM on January 16, 2005
I'm the sysadmin where I work and if using exchange you can configure out of office replys to not be sent to the internet but just internally. That's what we do, many of my peers seem to use the same practice, at least in my circle of geeks. You might want to check with your sys or mail admin to see what your local policy/practice is.
posted by white_devil at 4:14 PM on January 16, 2005
posted by white_devil at 4:14 PM on January 16, 2005
we have a company policy that prohibits sending out-of-office replies to anyone outside the organization. This is because bad guys with agendas can use that information to glean inside knowledge of corporate structure
Interesting. In our DoD paranoia, we have never (to my knowledge) considered this. We do have a prohibition against posting certain solicitations publicly (we're gonna buy lots of food 'cause we're gonna invade country X) and this is distantly related. Maybe I'll propose it and collect a reward.
posted by fixedgear at 6:04 PM on January 16, 2005
Interesting. In our DoD paranoia, we have never (to my knowledge) considered this. We do have a prohibition against posting certain solicitations publicly (we're gonna buy lots of food 'cause we're gonna invade country X) and this is distantly related. Maybe I'll propose it and collect a reward.
posted by fixedgear at 6:04 PM on January 16, 2005
With a crackberry or other wireless email appliance you need never set your out of office message again. (Also, you may never escape again.)
posted by caddis at 6:38 PM on January 16, 2005
posted by caddis at 6:38 PM on January 16, 2005
fixedgear: I get a royalty, right? :)
Seriously, I thought this was standard practice and am surprised (unpleasantly) that DoD folks don't do it. It's very easy for a "low-and-slow" attacker to gather a great deal of information this way, and have the recipients discard the incoming email (to which they respond with their vacation message) as spam.
Externally-sent vacation messages just make social engineering attacks that much easier.
posted by aberrant at 8:29 PM on January 16, 2005
Seriously, I thought this was standard practice and am surprised (unpleasantly) that DoD folks don't do it. It's very easy for a "low-and-slow" attacker to gather a great deal of information this way, and have the recipients discard the incoming email (to which they respond with their vacation message) as spam.
Externally-sent vacation messages just make social engineering attacks that much easier.
posted by aberrant at 8:29 PM on January 16, 2005
I have learned to never be surprised by the security practices of DoD.
(And, yes, vacation-messages are generally a bad idea, from a security point of view.)
posted by Jairus at 8:42 PM on January 16, 2005
(And, yes, vacation-messages are generally a bad idea, from a security point of view.)
posted by Jairus at 8:42 PM on January 16, 2005
Whatever you do, don't let anyone know you're unavoidably tied up at a playoff game.
posted by dhartung at 11:26 PM on January 16, 2005
posted by dhartung at 11:26 PM on January 16, 2005
Response by poster: Interesting replies and, to be honest, not what I was expecting, which was more of a "yes, this madness". I don't really bother with OOO messages on my own mail account, but corporate paranoia/protection of employees is slightly higher than I was expecting. Still, it looks as though there may be a point to it all.
posted by TheDonF at 11:59 PM on January 16, 2005
posted by TheDonF at 11:59 PM on January 16, 2005
Which is one more reason never to descend into the bowels of the corporation to begin with, right?
posted by Irontom at 3:31 AM on January 17, 2005
posted by Irontom at 3:31 AM on January 17, 2005
This thread is closed to new comments.
It seems to say it hasn't happened yet (or at least that they haven't found a direct link between an email and a burglary). The article of course indicates this is a real danger, but if it hasn't happened yet then chances are you won't be the first.
posted by rooftop secrets at 2:17 PM on January 16, 2005