I checked my personal email account and found I had 3 out-of-office replies from people who obviously belonged to the same organization. However, I had never emailed any of them.
At first I thought they were some kind of a malware emails, but they were text only and contained no links. So I just left them in my email box and wondered about them every time I saw them. Then I figured it out.
During the long holiday season, I submitted a comment to a blog, and evidently that blog notifies these people about any comments. Since all 3 of those people happened to be out of the office (OOO) on the day I submitted the comment, I received an OOO reply from each of them. At first this annoyed me, but then I realized I received some great information on these folks:
- They’re were of the office, and I know when they’ll be back.
- One of them was vacationing overseas. That means their home in Ohio was probably empty, and I could rob them blind. Or just sell the info on a thiefer’s website.
- Their internal email addresses, work addresses, and phone numbers, including cell numbers.
- Who they defer to when they out of the office, because each of them said in their OOO reply, “if emergency, contact X”. Can you spell “social engineering”?
- Internal email addresses, work addresses, and phone numbers, including cell numbers of their emergency contacts.
- Info on people that are associated with this blog. It sure makes tracking down who writes for the blog a lot easier. They didn’t hid it very well, did they?
Granted, receiving this info when you’re inside the organization is not a big deal, but I am not an insider. I’m just a smuck who wandered across the Internet and submitted a blog comment. But now I have insider knowledge. I should have been a spammer.
ITauditSecurity 
How have things been? Another area where I say to myself what are they thinking. The people who blast listservs with Out of Office replies. It’s one thing to be out of the office but another to tell everyone everytime when someone sends something out to the listserv. I’ve seen this occur on private and public listservs.
LikeLike
Hi Corey,
TY for the comment. Things have been going well. I have tons of stuff to post, but can’t seem to get the time to do it all.
I think the problem is that people don’t think. They think in silos without pondering how each action might affect another action. That’s what vulnerabilities are all about, right? A + B = Yippe!
LikeLike
What is the solution ?
LikeLike
Santosh,
The solution is to turn off out-of-office replies to the Internet, a setting that all major email clients have. I believe some email systems can turn it off at the server so that clients cannot change it.
LikeLike