I saw a post on David Smalley’s blog about Microsoft Exchange Server Out of Office Replies. In his post David mentions that in Exchange server 2000, Out of Office Replies (OOR’s) are not sent outside of the Exchange organisation, and he goes on to explain how you can configure Exchange to allow OOR’s to go outside of the your organisation.
While this behaviour by Exchange would appear to be a bug – there is a good reason behind it – it is for protecting the privacy of your Exchange users. It is entirely possible to spam a company (or more likely companies), do automated searches for Out of Office Replies, cross reference them with phone book entries, and then burglarise houses secure in the knowledge that “Sally is on holidays in Bali until the 15th!”.
Out of Office Replies like these will also tell any cracker that this person’s logon will be unattended for the next x days so they can merrily ring the helpdesk saying “I have lost my password, can you re-set it for me?”
Also, OOR’s will reply to ‘normal’ spam mails, confirming the email address as a live one.
From an IT/security point of view, it is preferable to maintain the current situation of OOR’s not going beyond you Exchange organisation but I can see that from a client service point of view this might not be acceptable.
If you do need to allow OOR’s in your company, then you really need an OOR policy document and as we are rapidly coming into holiday season, you need to make all your staff aware of it asap for their own protection.
Staff shouldn’t say how long they are out for nor why they are out. They shouldn’t include their sig file as this gives away too much information (Job Title for instance – the more senior the position, the more likely (extended) travel is involved), and they should include the name of an alternate contact along with the main company number (but they shouldn’t include the job title of the alternate contact).
The following is an example of a reasonably safe and yet informative Out of Office Reply:
“Thank you for contacting me – unfortunately I am away from my email right now but I will reply to you on my return. In the meantime, if you need some assistance, please call John Doe at 555 1234.”
The podcast of this post is available here thanks to Pete Prodoehl whose comment on my last post explained how I could use Ourmedia.org to upload podcasts to the Internet Archive without the 24 hour wait!
Glad I could help! 😉
What is your reason for suggesting that “out of the office” not be stated, but instead, “away from my email.” In my experience, if they can’t get me via email, they will phone the operator and ask for me to be paged. Should we maybe say ‘I am unable to be contacted?’