Out-of-Office Reply Tells All

I checked my personal email account and found I had 3 out-of-office replies from people who obviously belonged to the same organization. However, I had never emailed any of them.

At first I thought they were some kind of a malware emails, but they were text only and contained no links. So I just left them in my email box and wondered about them every time I saw them. Then I figured it out.

During the long holiday season, I submitted a comment to a blog, and evidently that blog notifies these people about any comments. Since all 3 of those people happened to be out of the office (OOO) on the day I submitted the comment, I received an OOO reply from each of them. At first this annoyed me, but then I realized I received some great information on these folks:

  1. They’re were of the office, and I know when they’ll be back.
  2. One of them was vacationing overseas. That means their home in Ohio was probably empty, and I could rob them blind. Or just sell the info on a thiefer’s website.
  3. Their internal email addresses, work addresses, and phone numbers, including cell numbers.
  4. Who they defer to when they out of the office, because each of them said in their OOO reply, “if emergency, contact X”. Can you spell “social engineering”?
  5. Internal email addresses, work addresses, and phone numbers, including cell numbers of their emergency contacts.
  6. Info on people that are associated with this blog. It sure makes tracking down who writes for the blog a lot easier. They didn’t hid it very well, did they?

Granted, receiving this info when you’re inside the organization is not a big deal, but I am not an insider. I’m just a smuck who wandered across the Internet and submitted a blog comment.  But now I have insider knowledge. I should have been a spammer.



Filed under Blogging, Security, Security Scout

4 responses to “Out-of-Office Reply Tells All

  1. How have things been? Another area where I say to myself what are they thinking. The people who blast listservs with Out of Office replies. It’s one thing to be out of the office but another to tell everyone everytime when someone sends something out to the listserv. I’ve seen this occur on private and public listservs.


  2. Hi Corey,
    TY for the comment. Things have been going well. I have tons of stuff to post, but can’t seem to get the time to do it all.
    I think the problem is that people don’t think. They think in silos without pondering how each action might affect another action. That’s what vulnerabilities are all about, right? A + B = Yippe!


  3. Santosh Kaimal

    What is the solution ?


    • Santosh,
      The solution is to turn off out-of-office replies to the Internet, a setting that all major email clients have. I believe some email systems can turn it off at the server so that clients cannot change it.


Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.