SBS 2003: Why the default out-of-office behavior is a good thing in Exchange and SBS

So we all know that Out-of-Office auto responses are disabled for internet-bound email by default beginning with Exchange 2000, right? As with so many things - SBS behaves the same way, and with good reason. By default, out-of-office messages don’t ever make it out of your organization.

This is a good thing.

If you disagree, you can change this behavior by following KB262352. But don’t.

Let’s talk about why the default behavior is a good thing.

Say that you’re out-of-the-office, you’ve followed KB262352 and enabled the out-of-office responses for internet bound messages. But, like many in the SMB marketplace, you’re not on-board with a good enterprise uce/spam filtering solution, or hosted filtering service (and even if you are, I still don’t recommend changing the default behavior).

Here is what can happen:

1) You enable out-of-office responses
2) You start receiving messages - and like everyone else, you get some uce/junk mail.
3) Exchange now doesn’t care if it’s junk or not, or where it originated… it creates a new message grabbing the “From:” address from the junk message, and sending it out.
4) The “From:” address probably is spoofed (you can check the message headers to confirm this), so you’re probably sending your out-of-office response to an unsuspecting person.
5) Now, this person might not exist, or might have a full mailbox, or might be confused as to why you sent them message to begin with… so they reply. And they get another out-of-office response.

And so on.

So multiply that by the number of messages you get, and you begin to see the problem.

This is a bad thing… even on an SBS 2003 server with only moderate usage.

So while you can enable out-of-office responses, you probably shouldn’t.