The revelations (last October) that Microsoft is quietly recycling email addresses from its Hotmail, Live, and Outlook.com domains might have come as a surprise to some. According to an email statement from Microsoft to PCWorld.com cited in the article, when an account becomes inactive, “the email account is automatically queued for deletion from our servers. Then, after a total of 360 days, the email account name is made available again”.
In other words, if you don’t access your Outlook.com mailbox for 360 days, Microsoft can decide that you are no longer interested in the content and recycle it and your email address. Apparently Yahoo! takes the much the same approach. I haven’t been able to track down a definitive statement as to whether Google does the same for Gmail addresses.
In any case, recycling of resources seems perfectly reasonable to me. After all, these are free services and user addresses are assets of those services that remains under the control of the providers. If you elect not to use a free service for a sustained period, it’s surely right that the mailbox and email address should be recycled.
Those who are alarmed by the prospect of email address recycling point to the possibility that the person who is allocated (or requests) an address released through account recycling might receive confidential information sent to that address. This is, of course, a possibility, especially if an attempt is made to contact someone years after the last communication. However, I think the fear is overstated for two simple reasons. First, because they exist at the behest of the provider, free email services are poor repositories for important data. Second, the vast bulk of messages sent to recycled email addresses is likely to come from spammers. Humans who receive a non-delivery notification after they attempt to contact someone are likely to follow up and find out why the problem happened (and get the new address of their correspondent). Spammers will not.
The question raises an interesting issue for corporate email administrators – how long should you leave an email address previously used by someone who has left the company before you assign it to a new user? The problem is more acute here because there is more obvious potential for the inadvertent leakage of sensitive information.
Take the example of where an executive with the address Jane.Doe@Test.com leaves your company. The normal policies are enacted so that the account is disabled and the mailbox is backed up in case its contents are needed in the future (for example, for discovery purposes). Entries for the mailbox are removed from all internal distribution groups and an autoreply might be put in place to inform internal and external senders that Jane Doe no longer works for the company. Then, after perhaps 30 or 50 days, the account and mailbox are deleted.
Let’s then imagine that a new user called Jane Doe joins the company six months later. The default Exchange email address policy or your account provisioning software (if used) might use the “First Name.Last Name” convention to create email addresses and so allocate Jane.Doe@Test.com to the new account. Jane Doe is happy with her new account and mail starts to flow into her mailbox.
The problem then becomes evident. Outlook is fantastic at keeping track of people to whom we send mail. This information is held as a nickname in Outlook’s recipient cache, which is kept in the hidden Recipient Cache folder under the Contacts folder in the mailbox and is loaded into memory when Outlook starts up so that Outlook can use this information for its address auto-completion feature. By default, Outlook keeps up to 1,000 nicknames in the cache (you can increase the limit by creating a new DWORD value called MaxNicknames under HKCU\Software\Microsoft\Office\xx.0\Outlook\AutoNameCheck (where xx is 16 for Outlook 2016, 15 for Outlook 2013, 14 for Outlook 2010, and 12 for Outlook 2007). Microsoft says that they don't recommend increasing the cache but you might want to live on the wild side.
Nicknames are persistent and stay around unless individually removed by the user (or the complete cache is cleared through Outlook options or by running Outlook with the /CleanAutoComplete switch). Users should really create contacts for regular correspondents but they don’t because Outlook creates and maintains nicknames. It’s perfectly rational behavior for people to avoid the bother of creating contacts when Outlook nicknames work. And so we end up with the potential that an old nickname might result in a message containing confidential information going to a new user. This snafu can afflict anyone - I recently sent a note to Paul Cunningham that should have gone to Paul Robichaux. Luckily both Pauls are sensible folk who understand what had happened but a misdirected mail can have serious consequences.
You could force users not to use the recipient cache for address auto-completion by configuring a group policy to set a new DWORD value for the ShowAutoSug to 1 under HKCU\Software\Microsoft\Office\xx.0\Outlook\Preferences. But users probably won’t like that very much because address auto-completion is generally a very useful feature. So it’s better to consider how to make sure that you have a well thought-out policy covering the reuse of email addresses that fits the needs of your company.
Follow Tony @12Knocksinna