I was working at home late one evening this week and I was about to finish up the project I was working on and decided to make one more pass through my e-mail before going to bed. I launched Outlook to check my several accounts and, shortly after startup, I received a bunch of Delivery Status Notifications (DSNs) for messages I hadn’t sent.
This isn’t all that unusual, because there is a fairly common spamming technique known as spoofing. Basically, a spammer sends a bunch of spam and he adds a header that says that it is from you, so when that message gets rejected by the spam victims, all the bounce messages come back to you. I wasn’t alarmed at this because I’ve received messages like this before, but its prudent to check them anyway.
The thing to look for is to see where the original message was sent from … for example, the report might look like this:
Reporting-MTA: dns; mailserver.somedomain.com Received-from-MTA: dns; pc123 (xx.xx.xx.xx) Arrival-Date: Thu, 23 Oct 2008 22:51:33 -0500
The xx.xx.xx.xx will be the IP address of the sender, usually some poor hijacked/zombiefied computer in Thailand or Beijing.
Imagine my shock when I opened up the DSNs and they had MY IP ADDRESS listed as the sender. I started thinking this was some remarkable new spoofing technique because I knew my computer hadn’t sent the spam, that would mean my computer had been hijacked.
Knowing that our mail server logs never lie, I logged into the office through a VPN and started pouring through the SMTP logs. My blood ran cold when I ran across the entries showing that those messages had, indeed, been sent from my IP address. And to top it off, they had been sent using SMTP authentication. In other words, something had used my computer AND my password to send this spam.
I felt so violated.
I started doing research trying to find out what can infect Outlook like this and remain completely hidden. I searched for hours. I Googled nearly every permutation of “Outlook generated spam” and “Outlook is sending spam” that I could imagine.
There were several recent instances of others having this experience and I was becoming increasingly alarmed. What kind of super-virus had I become infected with? How could this have happened? I am normally quite paranoid and very safe regarding my online activities so I didn’t understand how I could have become infected … I was truly dismayed.
Some of the other occurrences I discovered included the following long threads (and none seemed to have an answer when I checked them):
I went to bed exhausted and felt defeated because I felt sure I had somehow let my computer become hijacked. I started a full system scan using Avast Professional and went to sleep.
The next morning, I got up early to check the results of the scan and, of course, it found nothing, so I started hunting again for the solution. I had seen a mention of how Outlook handles read-receipts in one thread, but I had dismissed it as unrelated, but I was starting to re-read the same posts over and over again, so I decided to read it more closely.
The title of the thread wasn’t alarming at all: Re: Outlook 2007 IMAP Bug. As I read the article closer, I realized it was describing exactly what had happened. And more importantly, it turned out this was not some super-bug-malware or infection. It is just a bug in Outlook 2003/2007.
I hadn’t become a spammer, after all!
How the bug works
The bug essentially works like this: Someone sends spam to your IMAP account with a read-receipt request in it from a spoofed e-mail account. Outlook downloads it, but you don’t read it because, well, its dirty, stinking spam. Then, you quit Outlook without deleting the message.
At some point, you delete this message from the server using a different mail client, let’s say webmail or maybe an iPhone. The next time Outlook launches, it will see that the message has been deleted and, since there was a read-receipt request attached to it, Outlook generates a friendly “your message was deleted before it was read” message that is sent automatically regardless of your read-receipt setting in Outlook.
I have Outlook set to ignore all read-receipts (I find them rather obnoxious) but apparently Outlook ignores this setting when it comes to sending NOT-read-receipts.
It seems in the last couple of months, spammers have started finding ways to exploit this more and more.
So, I finally posted a note in the Microsoft Outlook forums trying to find a way to turn off Outlook’s overzealous notifications, so hopefully I’ll get answer. I’ll update this post if and when I do.
Updated @ 2008-10-27 8:59 p.m. — I have opened a support ticket with Microsoft (using e-mail). We’ll see if I get any response that way, as well.