I had a funny experience yesterday.
I don’t typically use Microsoft Outlook with my home email account. But
it was bundled with the copy of Office 2010 that I installed a few
months ago, and I figured: heck, if I have it anyway I might as well
hook it up to my personal IMAP account. So I configured Outlook, played
with it a bit, then promptly forgot all about it.
Fast forward to yesterday evening. I launch my copy of Outlook for the
first time in months in order to try something with the calendar, but
then I get distracted and walk away from the computer. Five minutes
later my cell phone gets a message from my FreeBSD server:
EMAIL SERVER HIJACKED - FIREWALLING POSTFIX
Oh. Fun.
A slight digression before I can get on with the story: I try my very
best to be a good Internet citizen, and that of course means not
allowing oneself to become a spam relay. Because this email server
exists only for my personal use, it was simple to write a Perl script
that monitors my Postfix logs and, if it sees anything grossly out of
the ordinary sent out through the server, reconfigures PF to block
outbound connections to TCP port 25. It seemed the responsible thing to
do, especially since some PHP applications on my web server have
permission to relay through this Postfix instance; and let’s face it,
WordPress has a less than stellar security track record.
This script has never given me a false positive. So this was definitely
cause for concern.
I shelled into my VPS and went straight for the mail logs. I was
dismayed to find more than twenty entries like this:
Dec 8 23:35:38 frodo postfix/smtpd[13146]: 13DB43F4DC: \
client=redacted[xxx.xxx.xxx.xxx], sasl_method=LOGIN, sasl_username=redacted
Dec 8 23:35:39 frodo postfix/cleanup[13148]: 13DB43F4DC: \
replace: header Received: from noatun (redacted [xxx.xxx.xxx.xxx]) \
(Authenticated sender: redacted)
by frodo.paleogene.net (Postfix) with ESMTPSA id 13DB43F4DC
for <redacted@example from redacted[xxx.xxx.xxx.xxx]; \
from=<redacted@example.com> to=<redacted@example.com> \
proto=ESMTP helo=<noatun>: Received: from auth-client.paleogene.net \
(auth-client.paleogene.net [206.125.175.178])
(Authenticated sender: hidden)
by frodo.paleogene.net (Postfix) with ESMTPSA id 13DB43F4DC
for <redacted@example.com>; Wed, 8 Dec 2010 23:35:37 -0500 (EST)
All of them sent within seconds of one another, and all of them to
random Gmail accounts and other recipients that I absolutely did not
recognize. Worse, the messages had been sent through a properly SASL
authenticated connection from my laptop (HELO noatun). To quote that old
horror flick: They’re coming from inside the house!
I’ve heard tell of Windows viruses that will quietly send spam through
the user’s configured Outlook mail account, so that the messages
originate from a legitimate mail server and have a better chance of
skipping recipients’ spam folders. I have no idea whether this is
actually a common occurrence in the real world, but it’s plausible
enough, and I couldn’t think of any better explanation why 24 messages
had been sent out from my computer in a matter of seconds, all to
recipients I’d never heard of. I still could not fathom how a spam bot
might have made its way onto my laptop despite my precautions, but
better safe than sorry…
Process Explorer and TCPView failed to reveal anything suspicious, so I
shut down the laptop, yanked out its hard drive, hooked that up to
another machine via a USB-SATA adapter, and started a full offline virus scan.
Meanwhile I kept poking around on the mail server. I had a bit of luck
when I checked /var/spool/postfix/deferred — a few messages had
been caught in the Postfix outbound queue when my script added its
firewall rule. I was morbidly curious what had been sent.
…it was a freaking Message Disposition Notification.
Now sure, I knew all about email read receipts, but I’d immediately
ruled them out as the cause of this behavior because all of my email
clients, Outlook included, are configured to at least ask my permission
before sending one:
[caption id=”attachment_668” align=”aligncenter” width=”570”
caption=”Outlook completely ignores this”]
[/caption]
And anyway, I hadn’t read or deleted any email messages in Outlook, so
why would it want to send any MDNs in the first place?
I did some googling and the pieces slowly began falling into place. It
turns out there’s a horrific bug in recent Outlook versions’ handling of
read receipts: unread messages deleted from an IMAP folder can send a
“not read” MDN, even if you’ve explicitly configured Outlook not to do
so.
And as I had just discovered, it isn’t even necessary to delete the
messages from within Outlook itself to trigger this behavior. Months ago
when I set up Outlook for my IMAP account, I was subscribed to several
Debian and other technical mailing lists that I’ve since left (these
days I prefer to use the Gmane NNTP gateway to read such lists).
Apparently when Outlook started up and noticed that these lists’ mail
folders no longer existed on my server, it decided to send a “not read”
notification for each unread message that requested one in Outlook’s
old cached copy of the folders.
Some searching of the mailing list archives confirmed my hypothesis.
Every recipient of one of these mystery messages had posted something to
one of these lists, presumably (probably unknowingly) including a
Disposition-Notification-To: header in their posts.
I can’t find the words to describe just how wrongheaded this behavior
is. Not only is it semantically incorrect — how can Outlook assume that
just because a message has been deleted from the IMAP server, it wasn’t
first read in some other mail client before being purged? — but it’s a
horrendous privacy risk too, and a boon to email address harvesters.
And in this case, it led me to waste two hours of my time as I had to
diagnose this unsolicited, seemingly spam bot-like burst of messages
that went out through my server.
As much as it has improved over the years, I think this proves Outlook
2010 is still entirely untrustworthy as an email client. Avoid using it
if at all possible.
