Out of office assistant and SPAM

[John]

Hi, we are considering turning on the out of office assistant to the
outside world but are wondering what the implications would be reguarding
SPAM. We are using Exchange 2003 and most of our users are using outlook
2003, but we still have some on outlook 2000. Won't the assistant reply to
all the SPAM and possibly confirm E-mail addresses? Also, what if it
responds to spoofed addresses that don't exist? Won't that generate
additional messages in my inbox from auto replies that state that the
E-mail address that we sent to does not exist? Is it possible to set the
additional rules to respond to people in your address book only once
instead of every time per out of office session.

 

[Brian Tillman]

Hi, we are considering turning on the out of office assistant to the
outside world but are wondering what the implications would be
reguarding SPAM. We are using Exchange 2003 and most of our users
are using outlook 2003, but we still have some on outlook 2000.
Won't the assistant reply to all the SPAM and possibly confirm E-mail
addresses?

It will respond to each incoming message, but only once to each sender.
There's little chance of confirming addresses, since SPAMmers usually send
from bogus addresses that are not monitored. That can lead to a bounce
back, however, when the OOA responds to the bogus address and that is
rejected. It might also lead to some innocent receiving the OOA message,
since SPAMmers often spoof the sender address using a good address they've
gleaned from a compromised PC. If they spoof using a vald address, the
person whose address was used will get the OOA.

Also, what if it responds to spoofed addresses that don't
exist? Won't that generate additional messages in my inbox from auto
replies that state that the E-mail address that we sent to does not
exist?

As I said, yes.

Is it possible to set the additional rules to respond to
people in your address book only once instead of every time per out
of office session.

It should respond only once as long as it's on. Turn it off and on again,
and it will respond once more, however.

 

[John]

It will respond to each incoming message, but only once to each sender.
There's little chance of confirming addresses, since SPAMmers usually send

from bogus addresses that are not monitored. That can lead to a bounce
back, however, when the OOA responds to the bogus address and that is
rejected. It might also lead to some innocent receiving the OOA message,
since SPAMmers often spoof the sender address using a good address they've
gleaned from a compromised PC. If they spoof using a vald address, the
person whose address was used will get the OOA.


As I said, yes.


It should respond only once as long as it's on. Turn it off and on again,
and it will respond once more, however.

Through experimentation, my boss created a reply rule in the OOA window to
reply to me only and then turned on OOA and exited Outlook. I sent him 4
test messages. I received 5 messages from him. The one in the top of the
OOA window that says it will reply only once (and it did), and 4 copies of
the rule reply that was created in the lower half of the OOA window.

What do you think.

Thanks, John