Outlook 2007 Read Receipt Security Hole?!

[Tyurin, Andrey]

I have discovered that Read Receipt feature in Outlook 2007 contain security
hole that doesn't appear to be fixed or even described.

In "Options\E-mail Options\Tracking Options" I've feature named Read Receipt
set to "Never send a response".

Recently I received a few messages with titles "Undeliverable mail: Read:
....". After inspecting this mail messages I've found that their mime-headers
is OK and it looks like Outlook sent mail messages (without any
notifications) titled "Read: ..." to a few SPAM messages in my inbox (IMAP4
account). Of course these spam-messages have Read Receipt option set.

I've made simple test to determine is that really bug by undeleting
spam-messages in my inbox (stroked through), marking them unread and finally
deleting without reading it. Read receipts have arrived.

I think this is a huge security hole in Outlook 2007 because people sending
spam could find out who've active e-mail addresses.

 

[Nils Gösche]

I have discovered that Read Receipt feature in Outlook 2007 contain security
hole that doesn't appear to be fixed or even described.

In "Options\E-mail Options\Tracking Options" I've feature named Read Receipt
set to "Never send a response".

Recently I received a few messages with titles "Undeliverable mail: Read:
...". After inspecting this mail messages I've found that their mime-headers
is OK and it looks like Outlook sent mail messages (without any
notifications) titled "Read: ..." to a few SPAM messages in my inbox (IMAP4
account). Of course these spam-messages have Read Receipt option set.

I've made simple test to determine is that really bug by undeleting
spam-messages in my inbox (stroked through), marking them unread and finally
deleting without reading it. Read receipts have arrived.

I think this is a huge security hole in Outlook 2007 because people sending
spam could find out who've active e-mail addresses.

The same thing happened here in the office today: Several people got a
certain spam mail in a certain IMAP Folder that everybody has subscribed
to. Over night, this email was automatically deleted. And when everybody
started up Outlook this morning, everybody's Outlook client noted that
the spam mail has been deleted, and immediately sent out receipt
messages saying (the German equivalent of) »Your message <blabla> has
been deleted.« The only reason we noticed was that the yahoo address it
was trying to send the receipts to was invalid, so we all got an
»undeliverable« message from our SMTP server. Needless to say, all
Outlook clients are configured never to send any receipts.

I agree that this is a security hole that should be fixed.

Regards,

 

[Diane Poremsky [MVP]]

http://www.slipstick.com/problems/rr_ndr.asp - Microsoft is aware of the
issue and working on it. The best solution is to mark messages in the junk
folder as read before emptying the junk folder.

--
Diane Poremsky [MVP - Outlook]



Outlook Tips by email:
mailto:[email protected]

EMO - a weekly newsletter about Outlook and Exchange:
mailto:[email protected]

You can access this newsgroup by visiting
http://www.microsoft.com/office/community/en-us/default.mspx or point your
newsreader to msnews.microsoft.com.

 

[Nils Gösche]

http://www.slipstick.com/problems/rr_ndr.asp - Microsoft is aware of
the issue and working on it. The best solution is to mark messages in
the junk folder as read before emptying the junk folder.

Thank you for the link--yes, that seems to be exactly the problem we've
seen here.

Regards,

 

[Nils Gösche]

Thank you for the link--yes, that seems to be exactly the problem we've
seen here.

Ugh--just this morning again, my Outlook sent out 9 such receipts, thus
telling nine happy spammers my company email address. The workaround
does not work here, because the IMAP folder containing the spam mails is
shared by all and emptied automatically by some anti-spam solution.

Let's hope there will be a fix eventuallly.

Regards,

 

[Brian Tillman [MVP - Outlook]]

(e-mail address removed) (Nils Gösche) writes:

Ugh--just this morning again, my Outlook sent out 9 such receipts, thus
telling nine happy spammers my company email address.

Unlikely. Spammers, for the most part, don't use replyable addresses to
send their spew. More often than not it's a completely fake address that
goes nowhere, but if it is a real address, it's probably that of some
innocent whose address was hijacked.

 

[Diane Poremsky [MVP]]

Well, chances are you'll just end up with a bunch NDRs as spammers usually
use fake addresses.

What if someone/everyone goes into the folder and marks it read every now
and again or mark messages read before deleting? (Use ctrl+q to mark read)

--
Diane Poremsky [MVP - Outlook]



Outlook Tips by email:
mailto:[email protected]

EMO - a weekly newsletter about Outlook and Exchange:
mailto:[email protected]

You can access this newsgroup by visiting
http://www.microsoft.com/office/community/en-us/default.mspx or point your
newsreader to msnews.microsoft.com.

 

[Nils Gösche]

Unlikely. Spammers, for the most part, don't use replyable addresses
to send their spew. More often than not it's a completely fake
address that goes nowhere, but if it is a real address, it's probably
that of some innocent whose address was hijacked.

Yes, but why do they include the Return-Receipt-To header line then, if
not to check which email-addresses in their list are still alive?

Regards,

 

[Nils Gösche]

What if someone/everyone goes into the folder and marks it read every
now and again or mark messages read before deleting? (Use ctrl+q to
mark read)

Yes, I suppose that could work. Perhaps a little script...

Regards,

 

[Brian Tillman [MVP - Outlook]]

"Brian Tillman [MVP - Outlook]" <[email protected]> writes:

Yes, but why do they include the Return-Receipt-To header line then, if
not to check which email-addresses in their list are still alive?

Beats me, but you have full control over whether or not to honor return
receipt requests, so that can't verify your address, either if you disable
receipts.

 

[Diane Poremsky [MVP]]

Except there is a bug in outlook 2007 if the messages are deleted on the
server, the receipts are sent when outlook syncs the folder up.


--
Diane Poremsky [MVP - Outlook]



Outlook Tips by email:
mailto:[email protected]

EMO - a weekly newsletter about Outlook and Exchange:
mailto:[email protected]

You can access this newsgroup by visiting
http://www.microsoft.com/office/community/en-us/default.mspx or point your
newsreader to msnews.microsoft.com.

"Brian Tillman [MVP - Outlook]" <[email protected]> writes:

Yes, but why do they include the Return-Receipt-To header line then, if
not to check which email-addresses in their list are still alive?

Beats me, but you have full control over whether or not to honor return
receipt requests, so that can't verify your address, either if you disable
receipts.