THE OFFICIAL BLOG OF THE SBS "DIVA"

OOF?  OOF?  Are you OOF this time of year?

Originally the initials for the Out of Office notification stood for “Out of Facilities” [ergo the OOF] and they can not only be annoying, but mailbox filling up devices as well as major social engineering problems.

Say what? You ask?  You heard me... major social engineering problems occur in OOF messages because many times they include contact info, phone numbers, and other detail information that could be used in a social engineering attack.  Thus, I don't turn them on outside the domain and ensure that OOF messages don't go to the Internet.  Other reasons why OOF may not work can be found here.

By default, Exchange 2000 and 2003 do not enable OOF outside the domain.  So remember IF you enable them, instruct folks to carefully put in the messages in these OOF replies and to not put in so much info that it's easy to figure out ways to get info out of the organization.

If you use the Out Of Office Assistant and turn on the out-of-office reply, the internal senders (on the local network) receive the automatic reply message, but external senders (on the Internet) may not receive the automatic reply. 

CAUSE

By default, the out-of-office reply to Internet recipients is turned off. Many administrators do not allow out-of-office replies to be sent outside the Exchange Server organization, so that unauthorized people do not know when users are out of the office.

Internet Recipients Do Not Receive Out-of-Office Message:
http://support.microsoft.com/kb/323665/

XCON: How to Enable Out-of-Office Replies to the Internet:
http://support.microsoft.com/default.aspx?scid=kb;en-us;262352

How to Enable Out-of-Office Reply Messages to the Internet:
http://support.microsoft.com/kb/821899/

You cannot restrict certain automatic responses to the Internet based on administrative groups in Exchange 2000 Server or in Exchange Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;840158