Outlook 2007 Read Receipt Security Hole?!

Giganews Newsgroups
Subject: Outlook 2007 Read Receipt Security Hole?!
Posted by:  Tyurin, Andrey (TyurinAndr…@discussions.microsoft.com)
Date: Tue, 30 Sep 2008

I have discovered that Read Receipt feature in Outlook 2007 contain security
hole that doesn't appear to be fixed or even described.

In "Options\E-mail Options\Tracking Options" I've feature named Read Receipt
set to "Never send a response".

Recently I received a few messages with titles "Undeliverable mail: Read:
...". After inspecting this mail messages I've found that their mime-headers
is OK and it looks like Outlook sent mail messages (without any
notifications) titled "Read: ..." to a few SPAM messages in my inbox (IMAP4
account). Of course these spam-messages have Read Receipt option set.

I've made simple test to determine is that really bug by undeleting
spam-messages in my inbox (stroked through), marking them unread and finally
deleting without reading it. Read receipts have arrived.

I think this is a huge security hole in Outlook 2007 because people sending
spam could find out who've active e-mail addresses.

--
Have a nice day!

Replies