My company allows OOF to the internet for most of our customers as it is often requested.  Though there is are small risks to being able to verify an address is correct or knowing if someone is out of the office.  These could be mitigated by having the users leave only the minimal information on their response email.

Many companies that are considered to be on the leading edge with Exchange allow OOFs to the internet.  A feature to look forward in Exchange 2007 will allow a user to specify a internal and external OOF so that more information can be provided to internal users.

Some guidelines for using OOF:

• Never say specifically you are going on a holiday
• Never include your home address or phone number
• Never include personal contact details or personal mobile number etc
• Do keep the information generic (i.e. "I will have limited access to the next few days")
• Do set company guidelines for using OOF
• Do upgrade to Exchange 2007 :)