Saturday, June 05, 2010

Out of Office Message and Privacy Risks

I remember as a child my parents used to have an answering machine.  For those of you too young to remember those, they were basically like voicemail, except they plugged in to the wall.  I remember at some point my parents changed the message from "we are not home right now" to "we can't take your call right now".  I remember the explanation was that if you said "we are not home right now", a criminal would know you weren't home, but the other message might give them pause.  My parents did not lock the doors, by the way, so I do not think an answering machine message would deter them.  I suppose I can see not wanting to say "we are out of the country from June 1 through June 10", but do you really confuse criminals by saying "we can't take your call right now"?  I guess I never felt like it would be a deterrent.

The reason this came to mind is because as I mentioned I am going to be away from PCCC next year.  I am considering what to do with my out of office message.  By putting one out there, there is a slight risk of that information being used against the College.  A smart social engineer could in theory find a way to leverage that information.  However, the alternative is to check my work email, and I am in theory not supposed to when I am on leave.

We use Microsoft Exchange.  This will allow me to put up an out of office message.  I have the choice to reply only to people in the same domain ( or only to people outside our domain (everyone else), or simply everyone.  Most people would just put up an out of office message saying to contact their department chair, but the problem is that by doing so, I open up two accounts for spam.  If a spammer sends an email that gets past the email filters, they will get a reply not only showing my email is active, but also giving the spammer my department chair's email address. 

I could also make it a little more complicated, for example, say email
person at pccc dot edu
(which would of course translate to
...but some people would get confused with this.

Making matters more complicated is that I have some business contacts that I would like to be able to contact me.  If I want them to be able to find me, I should probably provide some sort of email address for them to use to contact me.  So, the end result is going to be me setting up a new email account, to protect my home account from spam, and an added risk to both my email address and my department chair's email address.

Now, to figure out what this message should say...

No comments: