Don’t tell spammers that you’re on vacation

Microsoft has made the right decision to temporarily turn off Hotmail’s vacation (e.g., out-of-office) reply feature. Flip the switch off permanently, I say.

“In our fight against spam, we sometimes have to make hard choices, and we had to make one this week. We discovered that spammers were using Hotmail’s automatic vacation reply feature to send spam from their Hotmail accounts,” Krish Vitaldevara, Windows Live Hotmail lead program manager, blogged late yesterday. I missed the post because of Apple’s iPhone OS 4 launch. I spotted the announcement first at LiveSide about an hour ago.

Vitaldevara continues: “We decided to temporarily shut off the feature in order to shut down the spam. Of course, we know some of you like and use automatic vacation replies to let people know when you can’t respond to e-mail for a while, and we’ll turn this feature back on as soon as we’ve worked out the best way to prevent it from being misused by spammers.”

I’m surprised it’s taken so long for this kind of problem to surface. For years I’ve recommended against using out-of-office replies because they reveal to spambots valid email addresses. Two best practices for avoiding spam:

  • Never use out-of-office replies
  • Turn off automatic HTML rendering

I’m amazed that so few people make the connection between out-of-office replies and spam, considering how much of the crap is anonymously sent. Your vacation reply reveals that the email address is valid, and that can open a torrent of additional spam.

Automatically loading images is another sure way to validate an email address. Spammers typically include clear gifs — meaning you can’t see them — in HTML email. These images, also known as Web beacons, call back to a server, letting the spammer know the email address is valid. Outlook and most email applications or Web mail services turn off email image rendering by default. But, of course, people turn on the feature because the mail looks prettier.

Like many other people, my inbox collected porn spam during the late 1990s. Once I disabled automatic image rendering, the porn spam subsided over about six months. I rarely get this kind of spam anymore, and on the rare occasions I do images don’t load anyway. Hey, I’m married and a one-woman guy.

I applaud Microsoft for making the tough but smart decision about vacation replies. I would encourage the company to go further and help people to change their behavior. There are plenty of better ways to inform people when you’re away, such as status messages on Facebook, IM, LinkedIn, Twitter or Windows Live –heck, even location-based services like Foursquare. The only people who really need to know you’re out of the office or away from home are the people you know. Don’t tell the spammers.

Leave a Reply

Your email address will not be published. Required fields are marked *