Email forwarding and auto responders are common tools businesses and individuals use to manage their emails. However, despite their convenience, they can introduce security risks, inefficiencies and even negatively impact email deliverability. Let’s explore why relying on these features might not be the best choice.
Alright, let’s keep it simple and start with the fundamentals
Forwarding emails automatically can expose sensitive information to unintended recipients, creating security vulnerabilities. If an email contains confidential data, forwarding it without proper controls could lead to data leaks. In a real world scenario, if a company director, manager or even a staff member automatically forwards all customer service emails from a public-facing address to their personal Gmail account and that account is compromised, all customer enquiries, potentially containing personal details and order information become accessible to the attacker.
Then there is the compliance side of things to consider; moving any customer data to an unapproved location or system with inadequate security is likely to lead to a massive problem should that data be compromised.
It's also worth mentioning that auto responders can inadvertently confirm to spammers that an email address is active, leading to more spam and phishing attacks.
Forwarding emails from one address to another may seem like a practical way to consolidate communications. When forwarded emails contain spam, the receiving server may mark the forwarding domain as a spam source, which could damage its reputation. The original sender’s details are often stripped or modified during forwarding, making it harder to track the email(s) origin. Both email forwarding and auto responders can cause deliverability issues. Email providers may interpret excessive forwarding or automated replies (specifically to spam) as suspicious behavior, leading to flagged emails (greylisting) or outright deliverability failures (blacklisting). Oh and let's not forget about subscription lists or automated systems, an auto response may unintentionally flood the sender with repetitive replies.
For example, if a small business forwards all emails from their domain sales@yourbusiness.com to yourbusiness@gmail.com and yourbusiness@gmail.com receives a high volume of spam or is reported for spam, it can negatively impact the deliverability of legitimate emails from sales@yourbusiness.com because the receiving mail servers see the forwarded email originating from sales@yourbusiness.com, not the original spammer. Even worse, the IP could be blacklisted which causes problems for all users sending from that IP address.
A while ago, I encountered an email looping issue caused by auto-responders at a company where I worked on an ad hoc basis. One mailbox had an automatic response set to say, "Thanks for the email. We've received it, we've read it, and we'll get back to you shortly." The team member used that address to contact a business client, who, coincidentally, had their own auto-responder activated while on annual leave.
As you might have guessed, the two mailboxes began an endless cycle; each triggering the other with repeated messages of "Thank you for your email" and "I'm on annual leave." The flood of automated responses quickly overwhelmed both inboxes.
It didn't take me long to pinpoint the source of the issue, but needless to say, the sigh of relief from the management team was audible.
I know I’m going on a bit, but once I start, ideas keep popping into my brain, and I try to type them out before I forget them. Here’s another classic incident involving phishing, spoofing, and autoresponders that I remember vividly (well, parts of it).
Before heading off on holiday, the company director set up an automatic out-of-office response with a simple message: "I’m away until [whatever date it was]. If you need assistance, please contact customerservices@companyname.co.uk. For accounting-related enquiries, please reach out to accounts@companyname.co.uk. Thanks and was signed with John Smith, Company Director, Company Name and details."
Some of you might already see where this is going! As expected, he received the usual spam and phishing emails. However, his autoresponder unknowingly sent his message, including those internal contact details, straight to the spammers. Seizing the opportunity, the spammers then became scammers and they crafted a fraudulent invoice using Google Docs (or a similar platform, though I can't recall exactly). The document appeared legitimate enough to fool anyone who hovered over the link. To make matters worse, they spoofed an email from the director’s email address, instructing accounts to ensure the invoice was paid; finally signing off with the exact email signature from his autoresponder.
Fortunately, the entire team had recently completed IT security training, and someone took the initiative to verify the authenticity of the invoice. Thanks to their diligence, the scam was caught in time. However, had they simply processed the payment without questioning it, the company could have suffered a significant financial loss. True story!
So there you have it, the fundamental risks of email forwarding and autoresponders, along with the havoc they can cause. Cybercriminals can extract surprisingly valuable information from automated replies, leaving businesses and individuals exposed to phishing and social engineering attacks.
Always be mindful of what you include in your autoresponders. Here’s a quick summary of what to avoid:
A skilled developer, master coder and troubleshooting wizard, this tech powerhouse is the go-to senior support desk hero, always ready to untangle the most perplexing issues. Favourite quote "Into the dark we go softly...""...armed with obsidian protocols and blackbox ciphers". Inspired by Dylan Thomas (the first bit not the last bit)