Guest Tyurin, Andrey Posted September 30, 2008 Posted September 30, 2008 I have discovered that Read Receipt feature in Outlook 2007 contain security hole that doesn't appear to be fixed or even described. In "Options\E-mail Options\Tracking Options" I've feature named Read Receipt set to "Never send a response". Recently I received a few messages with titles "Undeliverable mail: Read: ....". After inspecting this mail messages I've found that their mime-headers is OK and it looks like Outlook sent mail messages (without any notifications) titled "Read: ..." to a few SPAM messages in my inbox (IMAP4 account). Of course these spam-messages have Read Receipt option set. I've made simple test to determine is that really bug by undeleting spam-messages in my inbox (stroked through), marking them unread and finally deleting without reading it. Read receipts have arrived. I think this is a huge security hole in Outlook 2007 because people sending spam could find out who've active e-mail addresses. -- Have a nice day! Quote
Guest Nils Gösche Posted February 6, 2009 Posted February 6, 2009 "Tyurin, Andrey" <TyurinAndrey@discussions.microsoft.com> writes: <span style="color:blue"> > I have discovered that Read Receipt feature in Outlook 2007 contain security > hole that doesn't appear to be fixed or even described. > > In "OptionsE-mail OptionsTracking Options" I've feature named Read Receipt > set to "Never send a response". > > Recently I received a few messages with titles "Undeliverable mail: Read: > ...". After inspecting this mail messages I've found that their mime-headers > is OK and it looks like Outlook sent mail messages (without any > notifications) titled "Read: ..." to a few SPAM messages in my inbox (IMAP4 > account). Of course these spam-messages have Read Receipt option set. > > I've made simple test to determine is that really bug by undeleting > spam-messages in my inbox (stroked through), marking them unread and finally > deleting without reading it. Read receipts have arrived. > > I think this is a huge security hole in Outlook 2007 because people sending > spam could find out who've active e-mail addresses.</span> The same thing happened here in the office today: Several people got a certain spam mail in a certain IMAP Folder that everybody has subscribed to. Over night, this email was automatically deleted. And when everybody started up Outlook this morning, everybody's Outlook client noted that the spam mail has been deleted, and immediately sent out receipt messages saying (the German equivalent of) »Your message <blabla> has been deleted.« The only reason we noticed was that the yahoo address it was trying to send the receipts to was invalid, so we all got an »undeliverable« message from our SMTP server. Needless to say, all Outlook clients are configured never to send any receipts. I agree that this is a security hole that should be fixed. Regards, -- Nils Gösche »Don't ask for whom the <CTRL-G> tolls.« Quote
Guest Diane Poremsky [MVP] Posted February 6, 2009 Posted February 6, 2009 http://www.slipstick.com/problems/rr_ndr.asp - Microsoft is aware of the issue and working on it. The best solution is to mark messages in the junk folder as read before emptying the junk folder. -- Diane Poremsky [MVP - Outlook] Outlook Tips: http://www.outlook-tips.net/ Outlook & Exchange Solutions Center: http://www.slipstick.com Outlook Tips by email: mailto:dailytips-subscribe-request@lists.outlooktips.net EMO - a weekly newsletter about Outlook and Exchange: mailto:EMO-NEWSLETTER-SUBSCRIBE-REQUEST@PEACH.EASE.LSOFT.COM You can access this newsgroup by visiting http://www.microsoft.com/office/community/en-us/default.mspx or point your newsreader to msnews.microsoft.com. "Nils "Gösche"" <cartan@cartan.de> wrote in message news:uhc37zr33.fsf@cartan.de...<span style="color:blue"> > "Tyurin, Andrey" <TyurinAndrey@discussions.microsoft.com> writes: ><span style="color:green"> >> I have discovered that Read Receipt feature in Outlook 2007 contain >> security >> hole that doesn't appear to be fixed or even described. >> >> In "OptionsE-mail OptionsTracking Options" I've feature named Read >> Receipt >> set to "Never send a response". >> >> Recently I received a few messages with titles "Undeliverable mail: Read: >> ...". After inspecting this mail messages I've found that their >> mime-headers >> is OK and it looks like Outlook sent mail messages (without any >> notifications) titled "Read: ..." to a few SPAM messages in my inbox >> (IMAP4 >> account). Of course these spam-messages have Read Receipt option set. >> >> I've made simple test to determine is that really bug by undeleting >> spam-messages in my inbox (stroked through), marking them unread and >> finally >> deleting without reading it. Read receipts have arrived. >> >> I think this is a huge security hole in Outlook 2007 because people >> sending >> spam could find out who've active e-mail addresses.</span> > > The same thing happened here in the office today: Several people got a > certain spam mail in a certain IMAP Folder that everybody has subscribed > to. Over night, this email was automatically deleted. And when everybody > started up Outlook this morning, everybody's Outlook client noted that > the spam mail has been deleted, and immediately sent out receipt > messages saying (the German equivalent of) »Your message <blabla> has > been deleted.« The only reason we noticed was that the yahoo address it > was trying to send the receipts to was invalid, so we all got an > »undeliverable« message from our SMTP server. Needless to say, all > Outlook clients are configured never to send any receipts. > > I agree that this is a security hole that should be fixed. > > Regards, > -- > Nils Gösche > »Don't ask for whom the <CTRL-G> tolls.« </span> Quote
Guest Nils Gösche Posted February 9, 2009 Posted February 9, 2009 "Diane Poremsky [MVP]" <outlookmvp@msn.com> writes: <span style="color:blue"> > http://www.slipstick.com/problems/rr_ndr.asp - Microsoft is aware of > the issue and working on it. The best solution is to mark messages in > the junk folder as read before emptying the junk folder.</span> Thank you for the link--yes, that seems to be exactly the problem we've seen here. Regards, -- Nils Gösche »Don't ask for whom the <CTRL-G> tolls.« Quote
Guest Nils Gösche Posted February 9, 2009 Posted February 9, 2009 cartan@cartan.de (Nils Gösche) writes: <span style="color:blue"> > "Diane Poremsky [MVP]" <outlookmvp@msn.com> writes: ><span style="color:green"> >> http://www.slipstick.com/problems/rr_ndr.asp - Microsoft is aware of >> the issue and working on it. The best solution is to mark messages in >> the junk folder as read before emptying the junk folder.</span> > > Thank you for the link--yes, that seems to be exactly the problem we've > seen here.</span> Ugh--just this morning again, my Outlook sent out 9 such receipts, thus telling nine happy spammers my company email address. The workaround does not work here, because the IMAP folder containing the spam mails is shared by all and emptied automatically by some anti-spam solution. Let's hope there will be a fix eventuallly. Regards, -- Nils Gösche »Don't ask for whom the <CTRL-G> tolls.« Quote
Guest Brian Tillman [MVP - Outlook] Posted February 9, 2009 Posted February 9, 2009 "Nils "Gösche"" <cartan@cartan.de> wrote in message news:ueiy8sz9w.fsf@cartan.de...<span style="color:blue"> > cartan@cartan.de (Nils Gösche) writes:</span> <span style="color:blue"> > Ugh--just this morning again, my Outlook sent out 9 such receipts, thus > telling nine happy spammers my company email address.</span> Unlikely. Spammers, for the most part, don't use replyable addresses to send their spew. More often than not it's a completely fake address that goes nowhere, but if it is a real address, it's probably that of some innocent whose address was hijacked. -- Brian Tillman [MVP-Outlook] Quote
Guest Diane Poremsky [MVP] Posted February 9, 2009 Posted February 9, 2009 Well, chances are you'll just end up with a bunch NDRs as spammers usually use fake addresses. What if someone/everyone goes into the folder and marks it read every now and again or mark messages read before deleting? (Use ctrl+q to mark read) -- Diane Poremsky [MVP - Outlook] Outlook Tips: http://www.outlook-tips.net/ Outlook & Exchange Solutions Center: http://www.slipstick.com Outlook Tips by email: mailto:dailytips-subscribe-request@lists.outlooktips.net EMO - a weekly newsletter about Outlook and Exchange: mailto:EMO-NEWSLETTER-SUBSCRIBE-REQUEST@PEACH.EASE.LSOFT.COM You can access this newsgroup by visiting http://www.microsoft.com/office/community/en-us/default.mspx or point your newsreader to msnews.microsoft.com. "Nils "Gösche"" <cartan@cartan.de> wrote in message news:ueiy8sz9w.fsf@cartan.de...<span style="color:blue"> > cartan@cartan.de (Nils Gösche) writes: ><span style="color:green"> >> "Diane Poremsky [MVP]" <outlookmvp@msn.com> writes: >><span style="color:darkred"> >>> http://www.slipstick.com/problems/rr_ndr.asp - Microsoft is aware of >>> the issue and working on it. The best solution is to mark messages in >>> the junk folder as read before emptying the junk folder.</span> >> >> Thank you for the link--yes, that seems to be exactly the problem we've >> seen here.</span> > > Ugh--just this morning again, my Outlook sent out 9 such receipts, thus > telling nine happy spammers my company email address. The workaround > does not work here, because the IMAP folder containing the spam mails is > shared by all and emptied automatically by some anti-spam solution. > > Let's hope there will be a fix eventuallly. > > Regards, > -- > Nils Gösche > »Don't ask for whom the <CTRL-G> tolls.« </span> Quote
Guest Nils Gösche Posted February 9, 2009 Posted February 9, 2009 "Brian Tillman [MVP - Outlook]" <tillman1952@yahoo.com> writes: <span style="color:blue"> > "Nils "Gösche"" <cartan@cartan.de> wrote in message > news:ueiy8sz9w.fsf@cartan.de...<span style="color:green"> >> cartan@cartan.de (Nils Gösche) writes:</span> ><span style="color:green"> >> Ugh--just this morning again, my Outlook sent out 9 such receipts, thus >> telling nine happy spammers my company email address.</span> > > Unlikely. Spammers, for the most part, don't use replyable addresses > to send their spew. More often than not it's a completely fake > address that goes nowhere, but if it is a real address, it's probably > that of some innocent whose address was hijacked.</span> Yes, but why do they include the Return-Receipt-To header line then, if not to check which email-addresses in their list are still alive? Regards, -- Nils Gösche »Don't ask for whom the <CTRL-G> tolls.« Quote
Guest Nils Gösche Posted February 9, 2009 Posted February 9, 2009 "Diane Poremsky [MVP]" <outlookmvp@msn.com> writes: <span style="color:blue"> > What if someone/everyone goes into the folder and marks it read every > now and again or mark messages read before deleting? (Use ctrl+q to > mark read)</span> Yes, I suppose that could work. Perhaps a little script... Regards, -- Nils Gösche »Don't ask for whom the <CTRL-G> tolls.« Quote
Guest Brian Tillman [MVP - Outlook] Posted February 9, 2009 Posted February 9, 2009 "Nils "Gösche"" <cartan@cartan.de> wrote in message news:uab8vu0hh.fsf@cartan.de...<span style="color:blue"> > "Brian Tillman [MVP - Outlook]" <tillman1952@yahoo.com> writes:</span> <span style="color:blue"> > Yes, but why do they include the Return-Receipt-To header line then, if > not to check which email-addresses in their list are still alive?</span> Beats me, but you have full control over whether or not to honor return receipt requests, so that can't verify your address, either if you disable receipts. -- Brian Tillman [MVP-Outlook] Quote
Guest Diane Poremsky [MVP] Posted February 10, 2009 Posted February 10, 2009 Except there is a bug in outlook 2007 if the messages are deleted on the server, the receipts are sent when outlook syncs the folder up. -- Diane Poremsky [MVP - Outlook] Outlook Tips: http://www.outlook-tips.net/ Outlook & Exchange Solutions Center: http://www.slipstick.com Outlook Tips by email: mailto:dailytips-subscribe-request@lists.outlooktips.net EMO - a weekly newsletter about Outlook and Exchange: mailto:EMO-NEWSLETTER-SUBSCRIBE-REQUEST@PEACH.EASE.LSOFT.COM You can access this newsgroup by visiting http://www.microsoft.com/office/community/en-us/default.mspx or point your newsreader to msnews.microsoft.com. "Brian Tillman [MVP - Outlook]" <tillman1952@yahoo.com> wrote in message news:uxm5EWuiJHA.1172@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > "Nils "Gösche"" <cartan@cartan.de> wrote in message > news:uab8vu0hh.fsf@cartan.de...<span style="color:green"> >> "Brian Tillman [MVP - Outlook]" <tillman1952@yahoo.com> writes:</span> ><span style="color:green"> >> Yes, but why do they include the Return-Receipt-To header line then, if >> not to check which email-addresses in their list are still alive?</span> > > Beats me, but you have full control over whether or not to honor return > receipt requests, so that can't verify your address, either if you disable > receipts. > -- > Brian Tillman [MVP-Outlook] </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.