Frequently Asked Questions
UBC Mathematics: MathNet FAQ [Email Auto-reply Caveats]



UBC Mathematics: MathNet FAQ [Email Auto-reply Caveats]




Question: What are the risks of using an Email auto-reply?
Author: Joseph Tam
Date: Jan. 27, 2009

Email auto-replies could be useful, but its use is not without risk. If you install an Email auto-reply, please acquaint yourself with some issues which you may not have considered.

The main problem with auto-reply systems is that they reply indiscriminately to the purported sender, but the sender could be forged. Email is notoriously easy to alter, and the sender information is commonly forged by spammers, phishers, worms and viruses, and other ne're-do-wells. Your auto-replies would be sent to

  • Innocent vicitms who have had their Email addresses forged;
  • Fraudsters collecting victims' replies;
  • Spammers confirming that an Email address works;
  • Spamtrap addresses owned by blacklist operators -- this is a malicious attempt by an attacker to try and put a mail system onto a public blacklist and cause delivery problems.

In extreme cases, where the volume of spam/virus is heavy, it can cause the victim (the forged sender) to be overwhelmed with auto-replies. They may be forced to block Email from us. For example, many free Email providers will automatically block Email from a site if it detects this situation.

Such unintended replies are called "outscatter" or "backscatter"

http://en.wikipedia.org/wiki/Outscatter

Furthermore, even legitimate auto-replies may cause problems:

  • mail loops: under certain circumstances, two auto-reply systems could lock themselves into a mail loop replying to each other's Email until one or both mailboxes fill up.
  • mailing list: your reply notice may be sent to a mailing list you are subscribed to, and thousands of other people will see your auto-reply.

There are some measures in place that that mitigate these risks:

  • accurate spam/virus filter that rejects Email before they can be responded to;
  • sender tracking system that limits auto-replies (one per day) to the same Email address;
  • mail loop detectors;

You can further reduce the risks by

  • Assessing the necessity of an auto-reply and foregoing its use if its not important.
  • Use Email forwarding or web notices to deal with your departure.
  • Narrowing the scope of when auto-replies are invoked, such as only during times when it would be useful, or only to certain senders. Contact the IT staff on how you can achieve this.
  • Recognizing circumstances that would make auto-replying risky (if you are the target of much spam or subscribed to many mailing lists), and weighing those factors against the benefits of installing an auto-reply.
 
Top