|Subject:||Outlook 2007 Read Receipt Security Hole?!|
|Posted by:||Tyurin, Andrey (TyurinAndr…@discussions.microsoft.com)|
|Date:||Tue, 30 Sep 2008|
I have discovered that Read Receipt feature in Outlook 2007 contain security
hole that doesn't appear to be fixed or even described.
In "Options\E-mail Options\Tracking Options" I've feature named Read Receipt
set to "Never send a response".
Recently I received a few messages with titles "Undeliverable mail: Read:
...". After inspecting this mail messages I've found that their mime-headers
is OK and it looks like Outlook sent mail messages (without any
notifications) titled "Read: ..." to a few SPAM messages in my inbox (IMAP4
account). Of course these spam-messages have Read Receipt option set.
I've made simple test to determine is that really bug by undeleting
spam-messages in my inbox (stroked through), marking them unread and finally
deleting without reading it. Read receipts have arrived.
I think this is a huge security hole in Outlook 2007 because people sending
spam could find out who've active e-mail addresses.
Have a nice day!