Out Of Office Replies
ByA default SBS 2003 installation is configured so that when a user enables “out of office replies” in Exchange, the replies are sent only to internal accounts. If you have Out Of Office enabled on your account and someone from outside your network sends you e-mail, the SBS Exchange configuration will not send an OOO reply to that external address. This configuration can be changed, but for my clients, I’ve always left it at defaults, mostly for security reasons.
Today, I ran across another reason to keep Out Of Office replies from going outside of the network.
A client in California called because he started seeing a lot of hung messages in the outbound SMTP queues in Exchange. These messages were from a particular user, who had just been configured for Outlook over the Internet. He was concerned that the PC for this user might be infected with a virus that sends e-mail through Outlook/Exchange and asked me to take a look.
When I got into the server, I found 20-30 queues with one or two messages in them, and the queues were in a Retry state. My initial though was that it looked a lot like a Reverse NDR attack, but the volume was very small, and all the messages were coming from a user, not from postmaster.
I pulled the e-mail address from one of the messages hung in a queue and looked through the SMTP logs (another reason why I always enable SMTP logging on SBS even though it’s not enabled by default) to see where that message was coming from.
As it turns out, the message was not being generated by the user account. Instead, an incoming SMTP connection was delivering messages to this particular user from the bogus account in question. There was no indication that the user was generating a message to that address at all.
When I asked my client if the user had delivery receipts or read receipts enabled on the account, he said “no” but did indicate that Out Of Office had been enabled for the user. So what was happening is that Exchange was receiving the message for the user, then turning around and trying to send an Out Of Office response to the sender, which was a bogus address in this case, and these messages started getting hung in the queue. When my client mentioned that this particular user gets lots of spam, I knew where the culprit was.
The short term fix was to turn off Out Of Office for the user in question and make sure that the flood of e-mail getting hung in the queue died down. When it does, he can look into changing the Out Of Office settings back to default, so that OOO replies only go to internal senders, not external senders.
If you have clients that have requested that you enable Out Of Office replies be allowed to external senders, add this example to your list of reasons “why not.”