Re: PING: Outlook 2003 Spam

From: Spencer, Mark (mspencer_at_EVIDENTDATA.COM)
Date: 06/04/04

  • Next message: Russ: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"
    Date:         Fri, 4 Jun 2004 08:09:39 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Hello,

    A coworker and I spent much of the day yesterday trying to replicate
    this behavior and we were not able to do so. The only time we can get
    Outlook 2003 to pull anything from our server with this code is when we
    send the email within our own MS Exchange. We've tried multiple
    clients, multiple SMTP servers, and many variations of the code below
    and have not been successful, other than emails sent between Exchange
    users.

    I have not seen any other comments on this issue. Is it possible
    Microsoft has already patched Outlook 2003 to only allow this behavior
    when dealing with a trusted zone?

    Mark

    -----Original Message-----
    From: http-equiv@excite.com [mailto:1@malware.com]
    Sent: Tuesday, May 11, 2004 8:42 AM
    To: bugtraq@securityfocus.com
    Cc: NTBugtraq@listserv.ntbugtraq.com
    Subject: PING: Outlook 2003 Spam

    Tuesday, May 11, 2004

    Outlook 2003 the premier mail client from the company called 'Microsoft'
    certainly appears to have a lot of security features built into it.
    Cursory examination shows excellent thought into 'spam' containment,
    'security' consideration and many other little 'things'. So much so the
    default rendering of html is in so-called 'restricted zone' which
    disallows nearly everything [frames, iframes, objects, scripting etc.].
    In addition 'special' spam measures are taken to disallow graphic
    downloads from a remote server in html email which can be used to verify
    recipients:

    [screen shot: http://www.malware.com/duhlook.png 40KB]

    The Key Word is: nearly

    Utilising Outlook's own bizarre scheMAH ! which comprises a 'proper'
    frame along with an src pointing to our remote server, we are able to
    ping the server and confirm our recipient has viewed our email. We don't
    require graphics or frames or iframes to do that:

    <v:vml frame style="LEFT: 50px; WIDTH: 300px; POSITION:
    relative; TOP: 30px; HEIGHT: 200px"
    src = "http://www.malware.com/duh.txt#malware"></v:vmlframe>

    <HTML>
    <HEAD>
    <STYLE>
    v\:* { behavior: url(#default#VML); }
    </STYLE>
    <XML:NAMESPACE NS="urn:schemas-microsoft-com:vml" PREFIX="v"/> </HEAD>

    Notes:

    1. We now commence our examination of the Microsoft Office 2003 suite,
    we're a bit late, but it has taken all this time to save up to buy the
    thing 2. Quick 72 hour prodding reveals that this 'perceived' premier
    device known as Outlook 2003 is in fact riddled with holes 3. Do not
    receive or open any emails period. Use string and tin cans if you must
    communicate

    End Call

    --
    http://www.malware.com
    -----
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----
    

  • Next message: Russ: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"

    Relevant Pages

    • Re: Exchange 2007 - Garbled Message Issue
      ... Some HTML fortated emails are garbled after they have a banner appended. ... E2K7 Admin Group as I'm having store mounting issues on my Mailbox server. ... If the sender uses Outlook 2007 to send the message initially then it ...
      (microsoft.public.exchange.setup)
    • Re: Cant Mail-Merge to Outlook 2007 in HTML Format
      ... We have exactly same issue on 2008 Terminal Server running Office 2007 ... Word seems to rely on Extended MAPI for mailmerging HTML format ... I am trying to carry out a Mail-Merge from Word 2007 to Outlook 2007 in HTML ... been through the security settings and also tried applying the most liberal ...
      (microsoft.public.word.mailmerge.fields)
    • RE: PING: Outlook 2003 Spam
      ... Outlook 2003 to pull anything from our server with this code is when we ... disallows nearly everything [frames, iframes, objects, scripting etc.]. ... downloads from a remote server in html email which can be used to verify ...
      (Bugtraq)
    • RE: how do I send email in html instead of plain text
      ... to client server network running Windows Server 2003 small business server ... When I activated Outlook 2003 I set ... > that doesn't support HTML messages, and has stripped out the formatting and downgraded it to Plain Text. ...
      (microsoft.public.outlook.installation)
    • Re: I give up!
      ... > I have an html page divided into 2 frames. ... This must be done using server side scripting. ... it takes less than 10 lines of php code to solve your ...
      (alt.html)