Outlook is revealing our password in Message-ID

From: Gareth Spanglett (gareth_at_codeinc.com)
Date: 10/03/03 

Date: Fri, 3 Oct 2003 09:18:17 -0700

 Hello all,

I am having a real security crisis. I administer a simple
NT network for a company of 6 people. I update the
workstations and servers at least monthly and have Norton
Anti-Virus with automated daily liveupdates. Our web server
and email server are located with a third party and we use
Rogers Hi-speed as our ISP. We are using a Linksys router
as our firewall.

Two weeks ago - as far as I can tell - we were the subject
of a buffer overflow-type attack. Our network ground to a
crawl and the server logs revealed several unsuccessful
calls to DCOM looking to connect to IISAdmin (which is not
loaded or running on our server). Norton went into a type
of continuous loop and the network became effectively
inoperable.

When I got back from out of town, I was able to get the
system back up fairly quickly with no obvious signs of
damage. I re-installed and updated Norton and rescanned all
the machines. I checked all registries and system files
(including the startup folders) looking for any trojan-type
entries - and nothing.

Then I noticed that messages coming from Outlook were
including our Rogers password in the message-ID. I have
included a snippet of one of the headers below.

Is this some crazy Windows bug or some crazy virus that
doesn't seem to exist. Any suggestions? Rogers has no
records of this type of problem and a search on this site
and Google has revealed very little.

Anyway, any advice would be appreciated,

Quixote1024.

FROM SUSPECT HEADER ("X"s mark where the password was exposed):

Date: Thu, 2 Oct 2003 15:53:57 -0400
Message-ID: <000f01c3891e$eab8f540b03a8c0@gordon.XXXXXXX>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3

Relevant Pages

  • Re: Fully parallel Scheme-based language w/ evaluator
    ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...
    (comp.lang.misc)
  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.general)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.dns)
  • Re: Logon Server Unavailable
    ... There are currently no logon servers available to service ... You use a office laptop to connect the office VPN, when you map a network ... you may receive this message: "This account is the ... The server is not configured for transactions"> "A domain controller for your domain could not be contacted" ...
    (microsoft.public.windows.server.networking)