Question: What are the risks of using an Email auto-reply?
Author: Joseph Tam
Date: Jan. 27, 2009
Email auto-replies could be useful, but its use is not without risk.
If you install an Email auto-reply, please acquaint yourself with some
issues which you may not have considered.
The main problem with auto-reply systems is that they reply
indiscriminately to the purported sender, but the sender could be forged.
Email is notoriously easy to alter, and the sender information is commonly
forged by spammers, phishers, worms and viruses, and other ne're-do-wells.
Your auto-replies would be sent to
- Innocent vicitms who have had their Email addresses forged;
- Fraudsters collecting victims' replies;
- Spammers confirming that an Email address works;
- Spamtrap addresses owned by blacklist operators -- this is
a malicious attempt by an attacker to try and put a mail system
onto a public blacklist and cause delivery problems.
In extreme cases, where the volume of spam/virus is heavy, it can
cause the victim (the forged sender) to be overwhelmed with auto-replies.
They may be forced to block Email from us. For example, many free Email
providers will automatically block Email from a site if it detects this
Such unintended replies are called "outscatter" or "backscatter"
Furthermore, even legitimate auto-replies may cause problems:
- mail loops: under certain circumstances, two auto-reply systems
could lock themselves into a mail loop replying to each other's
Email until one or both mailboxes fill up.
- mailing list: your reply notice may be sent to a mailing
list you are subscribed to, and thousands of other people will
see your auto-reply.
There are some measures in place that that mitigate these risks:
- accurate spam/virus filter that rejects Email before they
can be responded to;
- sender tracking system that limits auto-replies (one per day)
to the same Email address;
- mail loop detectors;
You can further reduce the risks by
- Assessing the necessity of an auto-reply and foregoing its
use if its not important.
- Use Email forwarding or web notices to deal with your departure.
- Narrowing the scope of when auto-replies are invoked, such as
only during times when it would be useful, or only to certain
senders. Contact the IT staff on how you can achieve this.
- Recognizing circumstances that would make auto-replying
risky (if you are the target of much spam or subscribed to many
mailing lists), and weighing those factors against the benefits
of installing an auto-reply.