Sunday, March 29, 2009

Outlook Hole - Spammers Sending Spam using Not Read Receipts

Spam comes in many flavors and the most common technique that spammers use known as spoofing. Basically, a spammer sends a bunch of spam and he adds a header that says that it is from you, so when that message gets rejected by the spam victims, all the bounce messages come back to you. Its a common issue that can become bothersome, but not really that dangerous.

A new variant has been identified where users suspect Outlook is actually sending the spam. Knowing that mail server logs never lie, our team started pouring through the SMTP logs. We identified that entries our outbound mail did in fact show that those messages had, indeed, been sent from our servers and IP addresses. And to top it off, they had been sent using SMTP authentication. In other words, something had used the end users computer and password to send this new type of spam.

We checked for a new infection or unknown spambots using every method in our Arsenal with no success and were surprised to find it was a bug in how Outlook 2003 and 2007 and how it responds to read receipt requests for junk email. The spammers found a new way to send mail to unknown domains without any notification nor without an entry in your SENT items folders.

Spam occasionally includes requests for read receipts. In some cases this is so the spammer can check for valid email addresses but most of the time it’s not intentional or the spammer just wants to be doubly annoying since the sender’s address is invalid and the read/not read receipt bounces back to the victim in the form of an NDR.

The issue has been reported to Microsoft as far back as December 2007, with no resolution.

We had to take action and investigate.
We had a user on our servers report this issue. After investigating the issue we did notice that Outlook 2003 and 2007 was causing this outbound SPAM. The headers were showing that the messages were passing the end users local Outlook accounts and spammers found a new way to infiltrate. They basically BCC a number of spam targets and send you the spam message with a read reciept enabled. Once the message arrives and it is Not Read or if your Spam program deletes the message Outlook sends the following

To: [BCC Target]
Subject: Not read: [Varying Subjects]
Body:Your message

To: [your address]
Subject: [Varying Subjects]
Sent: 9/25/2008 4:19 AM
was deleted without being read on 3/28/2009 12:16 AM.

***The FIX***
In Outlook 2003 and 2007, access Tracking settings. -- Tools, Options, Preferences, Email Options, Tracking Options. Select Use this Option to Decide how to Respond to Requests for Read Receipts. Select button Ask me before sending a response.Select OK

*** The TEST***
Remove Preview Pane by Selecting View Toggle Preview PaneSend a NEW test message to yourself and a backup email with ***Spam Test*** in Subject and Select Read Receipt. When the message arrives, highlight the message and delete. Emtpy Deleted Items Folder. The pop up will show to respond to the message. Check off the box to Not show this message again and select No to All. The read receipts response will not be sent and you will be protected.

Say hello to Google Apps and give Microsoft the boot. has a proven track record of providing creative designs, custom database applications, information architecture, e-marketing, software, and high availability hosting services to a wide range of industries and companies around the world. Our team are expert Google Apps professionals.