About Us | Contact Us
View Cart

Auto-Reply Basics

By Vigilize | Tuesday, March 2, 2010 - Leave a Comment

Graphic by Jacki Hadaway

Technology. It’s here and people are not afraid to use it. They want to take full advantage of its possibilities. No stone left unturned so to speak. This includes an e-mail system’s Auto-reply feature. When we are out of the office, we don’t want our clients or other business associates to sit and wonder why we are not responding to their e-mails. We want them to be aware that, for the time being, we are out of the office and will get back with them when we return.

But almost every new technology introduces us to new vulnerabilities. E-mail is no exception. Beware that “black hat” attackers wreaking havoc with phishing attacks will not go away after multi-factor authentication is fully implemented. These attackers will use anything they can to gather information that can be used against an individual or business, and implement what is called an orchestrated attack. By combining seemingly innocent requests for information and other information gathering methods, these criminals can compromise a financial institution’s system. This includes information given out with a user’s Auto-reply feature.

Thus the purpose of this article: Be careful! When using your e-mail’s auto-reply feature, you need to be selective in what you divulge. Many attackers send out a rash of e-mails, just waiting for a recipient’s auto- reply to kick back a response. From there, these crafty individuals will use what information they get to plan a phishing attack or perform pre-text calling, gleaning information that can be used against you in the process. Any bit of information they get can be used in the larger picture of identity theft or masquerading.

In addition, spam attacks can gain momentum with auto-reply messages. Attackers use the messages to enter an endless look of auto-replies replying to auto-replies. This, in the long run, can result in a denial of service, loading mail servers with users’ auto-reply messages. In addition, they can be used to send viruses or worms to innocent victims.

The easiest way to mitigate risk with a particular technology is simply to cease using it. From a policy perspective, consider discouraging or even prohibiting the use of the auto-reply feature altogether. But if you must use your e-mail system’s auto-reply feature, here are a few tips to keep things under control and to be a little safer:

  • DO keep messages simple. State that you are out of the office, but don’t state your reason for being gone.
  • DO get permission before divulging an alternate contact’s information.
  • DO be careful about what you state about your job title (the higher up the ladder, the more attackers attempt to gather and use information).
  • DON’T be specific about the dates you will be away from the office.
  • DON’T divulge an associate’s e-mail address (this is more fuel for their fire). Give a phone number of someone that can help them in your absence instead.
  • DON’T divulge personal information in your auto-reply message (home phone, cell phone, etc.).
  • DON’T set auto-reply messages for your home e-mail. (You may get a very unwanted visitor while you are gone!)

Another step that can be done (see your network administrator) is to use your e-mail system’s filter settings. It’s simple to filter out e-mails that contain auto-reply words or phases in the subject line or header. You can have these messages directed to your “trash bin” rather than having them inundate your “in” basket. This is useful for those loops that the attackers may have set up.

The bottom line is: be careful when using your system’s auto-reply feature. You never know who will be the recipient! And as always, if your company allows auto-reply, be sure to increase user awareness about the vulnerabilities.


 

Latest News
    Community Banking and their layers of security. . . Michael Hartke’s first post as Executive Vice President! Thinking back to my first talk to security professionals in community banking almost 10 years ago, the question continues to this day. First some background… infotex was moderating the Indiana Bankers Association Security Conference when one of the […]
    Reasons why we should be considered! infotex provides a number of services that can be checked out if you click over to offerings.infotex.com! We even made a movie with all the reasons why infotex should be your next MSOC!  
    infotex and GoTo To all infotex managed security service Clients: As recently reported by major news outlets there was a data breach affecting GoTo (formerly LogMeIn) wherein attackers stole encrypted backups containing customer information in November 2022.  Based on the advisory from GoTo the products they offer that are affected include LogMeIn Pro, LogMeIn Central, […]
    An option for increasing security for ALL organizations. . . The threat landscape is evolving daily, and it is becoming increasingly difficult for even large organizations providing cyber defense services to keep up. As Brandao (2021) notes, it is important for organizations to adapt holistic technologies that can correlate all attack events. Therefore, developing XDR […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A relic of the internet’s less secure past, many small firms struggle to secure their email systems… An article review. With a great deal of cybersecurity related news focused on new threats and similarly new techniques aimed at combating them, it can be easy to forget some of the older threats that have never gone […]
    Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of […]
    System Security and Cybersecurity are not the same thing. . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Regarding “information security,” the last thirty years have seen an evolution of frameworks, laws, and assessment approaches which intimidate the management team with their complexity.  […]
    The cryptographic algorithm is vulnerable to attack and is no longer considered secure… An article review. NIST has announced that it plans to retire the SHA-1 cryptographic algorithm by the end of 2030, citing multiple vulnerabilities in the standard, effectively ending its use after nearly 30 years.  Introduced in 1995, SHA-1 used a 160-bit hash […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]