Are automatic "out of office" email replies bad security practice?
On many email servers it is possible to confirm whether an email address exists or not depending on whether you get a bounce message back from their SMTP server.
e.g.
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Thu, 25 Oct 2012 16:42:54 -0400
Received: from mailnull by ecbiz103.example.org with local (Exim 4.77)
id 1TRUGT-0005Qd-RT
for [email protected]; Thu, 25 Oct 2012 16:42:54 -0400
X-Failed-Recipients: [email protected]
Auto-Submitted: auto-replied
From: Mail Delivery System <[email protected]>
To: [email protected]
Subject: Mail delivery failed: returning message to sender
Message-Id: <[email protected]>
Date: Thu, 25 Oct 2012 16:42:53 -0400
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
No Such User Here
------ This is a copy of the message, including all the headers. ------
Return-path: <s...
However, existent but inactive accounts would not generate such a message.
The out of office autoreply does confirm that the email exists, and that it is in active use. As you say, depending on the contents it could leak information regarding the whereabouts of the recipient. This would be more of a concern for personal email accounts than that of a corporation because it is more likely that the user is physically not present at their home should such an email be received.
Some mail systems can be set to only reply to known addresses in the local address book with the out of office message. This prevents any malicious senders from gaining from their information gathering exercise. Also, many systems that filter email into spam folders do not send autoreplies for such messages.