Best Practices for Email Autoreplies
In two recent blog posts (The Risks of the Out of Office Notification and Other Risks from Automatic Replies) we discussed the possible threats from automatic email replies, from out of office notifications to read notifications to non-delivery receipts, they all allow information to be leaked – which can then be exploited. So what can administrators and users do to deal with this threat and help secure their environment?
While we have always stressed the importance of user education, in this particular case this should be reinforced with strong server settings. There’s no reason to rely only on user settings, which can be (and frequently, are) set improperly.
Enterprise email servers have fairly granular control over whether out-of-office notifications are sent or not. A good best practice for e-mail would be to limit out-of-office notifications to recipients within the organization only. If external parties need to receive these notifications, then they can be whitelisted as necessary. However, the default should be that external parties should not be sent out-of-office notifications.
Similarly, email servers can be configured so that bounce messages are not sent externally. Just as importantly, bounce messages should not contain significant amounts of the original message, as if they do so they can be used for spam attacks. (RFC 3834 explicitly makes this recommendation.)
As for read receipts, again we recommend that they not be sent externally. This can be done by stripping the Disposition-Notification-To header on all incoming messages; this ensures that no read receipt will be sent to a potential attacker while keeping the feature intact for internal email.
Taken together, these best practices prevent the sending of these automatic replies, which as we discussed earlier can be a source of information leakage for organizations. In addition to this, user education – particularly for out of office notifications – can also help.