Spammers using Outlook to email-bomb sites

[David Wicks]

I am running Outlook 2002 SP3. I am finding that I get frequent emails
containing the headers:

Return-Receipt-To
and
Disposition-Notification-To

Every time Outlook downloads a message from my POP3 server containing
these headers it spits back an email to the given address. Basically,
this gives spammers the ability to use my PC to send an email to anyone
they want and I can do nothing to stop it other than switching to
another email client. (I found that Eudora does not have this problem.)

Is Outlook a hopeless case or is there something I can do to stop this
activity?

By the way, I know this is happening because I see a virus check run on
the outgoing email and Norton AntiSpam asks me if I want to add the
address to my approved list. (A secondary effect is that the default
NAS setting is to automatically add users you send email to to the
approved list, so these spammers are all getting free rides into
people's approved lists!) I have found a 100% correlation with this
unwanted automatic emailing and received messages with these return
receipt headers. A lot of the time I also get a delivery failure email
a few hours later, presumably because the site being email-bombed turns
off that account.

To be clear, this is happening on message download, not message read. I
am aware of turning off email read messages and do have Outlook set to
prompt me before sending a read receipt. I am looking for a similar
control to prevent automatic *receipt* notification sending when doing
message downloading.

What is really amazing to me is how low-tech this is. You don't need a
virus, or a worm, or a trojan horse (Unless you consider Outlook itself
to be a trojan horse!). Microsoft is actually the party that is
providing this functionality to spammers.

 

[Ben M. Schorr - MVP]

Hmm. Well, that's a pretty marginal attack. For one they'd have to send
out every message they get a response to - it's a 1-to-1 thing. They could
just as easily send the messages directly to the intended victim. I guess
by sending it to you they get a little bit of anonymity.

But the nature of delivery reciepts are such that it's going to be more of a
trickle than a flow.

Also all it sends to the victim is a delivery receipt. That really doesn't
contain much in the way of useful information.

So...while I see your point, it seems like a pretty lame way for a spammer
or attacker to get at somebody.

Aloha,

-Ben-
Ben M. Schorr, OneNote-MVP
Roland Schorr & Tower
http://www.rolandschorr.com
Microsoft Outlook FAQ: http://www.factplace.com/outlook.htm

**I apologize but I am unable to respond to direct requests for assistance.
Please post questions and replies here in the newsgroup. Mahalo!

 

[Peter Rogers]

I am running Outlook 2002 SP3. I am finding that I get frequent emails
containing the headers:

Return-Receipt-To
and
Disposition-Notification-To

Every time Outlook downloads a message from my POP3 server containing
these headers it spits back an email to the given address. Basically,
this gives spammers the ability to use my PC to send an email to anyone
they want and I can do nothing to stop it other than switching to
another email client. (I found that Eudora does not have this problem.)

Is Outlook a hopeless case or is there something I can do to stop this
activity?

Easy to prevent read receipts being sent out automatically

Go to TOOLS then OPTIONS, then click on E MAIL OPTIONS, then click on
TRACKING OPTIONS. You then have the choice of either 1.) always
sending read receipts 2.) never sending read receipts or 3.) being
notified when read receipts are requested.

Option 3 IMHO is the best setting

Peter

Posting from Peter Rogers

Replace NOSPAM with ntlworld to reply

 

[David Wicks]

Easy to prevent read receipts being sent out automatically

Go to TOOLS then OPTIONS, then click on E MAIL OPTIONS, then click on
TRACKING OPTIONS. You then have the choice of either 1.) always
sending read receipts 2.) never sending read receipts or 3.) being
notified when read receipts are requested.

Option 3 IMHO is the best setting

Peter

Posting from Peter Rogers

Replace NOSPAM with ntlworld to reply

Sorry, but your answer is to a different problem. This is not a read
receipt I am dealing with. It is a "receipt receipt". The return email
is being generated as part of the "Send/Receive" before I even have a
chance to even click on the email to read it or delete it. I do have
read receipt options selected as you suggest and that DOES work when I
actually open email for reading.

As I said in my previous email, I really do not appreciate having my PC
being used without my approval as part of someone else's email attack.
So I'll repeat the question: "Is it possible in Outlook (XP XP3) to set
options for "Return-Receipt-To" similar to the way you can for read
receipts?

 

[Brian Tillman]

So...while I see your point, it seems like a pretty lame way for a
spammer or attacker to get at somebody.

Perhaps, but it may be a way to "punish" someone with whom you have a
disagreement, since it could lead to someone complaining to the victim's
ISP.

 

[Milly Staples [MVP - Outlook]]

If you are talking about a delivery receipt, that is controlled by the email
server that you use, probably your ISP. And, no, there is no way from the
Outlook client to control the ISP mail server behavior.

Delivery reciepts are normally generated as a courtesy when they are
requested. However, this should not give the spammer any ability to send
mail using your email account, unless they are using a forged email account,
which a delivery receipt would have no effect on since spammers pull this
out of their nether-regions without prompting. Being infected with a worm
would give them this ability, however. I would check my computer and make
sure the AV is up to date and run a scan.

However, posting you real email address to a news group (as you have done)
WILL get your email address added to the spammers arsenal to use for sending
forged spam mail.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.


After furious head scratching, David Wicks asked:

| In article <[email protected]>,
| (e-mail address removed) says...
||
||| I am running Outlook 2002 SP3. I am finding that I get frequent
||| emails containing the headers:
|||
||| Return-Receipt-To
||| and
||| Disposition-Notification-To
|||
||| Every time Outlook downloads a message from my POP3 server
||| containing these headers it spits back an email to the given
||| address. Basically, this gives spammers the ability to use my PC
||| to send an email to anyone they want and I can do nothing to stop
||| it other than switching to another email client. (I found that
||| Eudora does not have this problem.)
|||
||| Is Outlook a hopeless case or is there something I can do to stop
||| this activity?
|| Easy to prevent read receipts being sent out automatically
||
|| Go to TOOLS then OPTIONS, then click on E MAIL OPTIONS, then click on
|| TRACKING OPTIONS. You then have the choice of either 1.) always
|| sending read receipts 2.) never sending read receipts or 3.) being
|| notified when read receipts are requested.
||
|| Option 3 IMHO is the best setting
||
|| Peter
||
|| Posting from Peter Rogers
||
|| Replace NOSPAM with ntlworld to reply
||
| Sorry, but your answer is to a different problem. This is not a read
| receipt I am dealing with. It is a "receipt receipt". The return
| email is being generated as part of the "Send/Receive" before I even
| have a chance to even click on the email to read it or delete it. I
| do have read receipt options selected as you suggest and that DOES
| work when I actually open email for reading.
|
| As I said in my previous email, I really do not appreciate having my
| PC being used without my approval as part of someone else's email
| attack. So I'll repeat the question: "Is it possible in Outlook (XP
| XP3) to set options for "Return-Receipt-To" similar to the way you
| can for read receipts?

 

[David Wicks]

If you are talking about a delivery receipt, that is controlled by the email
server that you use, probably your ISP. And, no, there is no way from the
Outlook client to control the ISP mail server behavior.

Delivery reciepts are normally generated as a courtesy when they are
requested. However, this should not give the spammer any ability to send
mail using your email account, unless they are using a forged email account,
which a delivery receipt would have no effect on since spammers pull this
out of their nether-regions without prompting. Being infected with a worm
would give them this ability, however. I would check my computer and make
sure the AV is up to date and run a scan.

However, posting you real email address to a news group (as you have done)
WILL get your email address added to the spammers arsenal to use for sending
forged spam mail.

There must be more going on than what you describe. I have Outlook (XP
SP3) set to display progress and it shows mail being received but then
another line opens up and it says it is sending mail. Norton Antivirus
pops up a box saying it is scanning outgoing email. Norton AntiSpam
pops up a dialog asking me if I want to add some unfamiliar email
address to my approved list. And finally I will sometimes get a
delivery failure notice shortly afterward referring to the same address.
I have even gone as far as setting my account to only receive when doing
a "Send/Receive", yet Outlook still merrily goes and does a send anyhow
when it gets the right email trigger. When I take it a step farther and
give it a fake smtp address, it tries to send email when triggered and
it fails. But it never gives up trying. I can go as far as rebooting,
but Outlook will continue trying to send that response email every
send/receive until I finally put back a proper smtp address and let it
send its response email.

Taken together I think I have some fairly convincing evidence that email
is being created on my PC **BY OUTLOOK** and you can't blame this on a
server. And I think that the people sending me this email know it and I
also suspect that this is something fairly widespread and largely
undetected because you have to tweak defaults to even see that it is
happening. Most people are living in blind ignorance, not knowing that
their PC is being used as part of an email barrage to the target of the
day.

In EVERY case the email that triggers the sending has the two headers
that are not present in well behaved email:

Return-Receipt-To:
and
Disposition-Notification-To:

I have scanned my PC with Norton AV (NIS 2006 with antispyware) and have
also tried out several spyware scanners and none turn anything up.

I have found that when I pull in email using Eudora or Thunderbird, they
do not send an email response. Only Outlook does. I think that this
also lets the Norton stuff off the hook because it still runs even with
the other email clients and they don't have this email response problem.

By the way, while the email address in my posting is real, it isn't my
primary email. Too bad, because that hotmail account does not seem to
have this problem. (Spam to your heart's content on that one!) I only
see it in my main POP3 account.

 

[Ben M. Schorr - MVP]

Perhaps, but it may be a way to "punish" someone with whom you have a
disagreement, since it could lead to someone complaining to the victim's
ISP.

I guess. Anybody who chooses that as a way to "punish" somebody probably
gets even with folks by stealing one paperclip a day from their desk drawer
too, gleefully anticipating that glorious day when the victim wants to
attach two pieces of paper together and has to walk to the copier room to
get more clips. <chuckle>

There are so many better ways to do it -- heck the "attacker" could just
complain to the victim's ISP directly and claim to have been spammed by
him/her.

Aloha,

-Ben-
Ben M. Schorr, OneNote-MVP
Roland Schorr & Tower
http://www.rolandschorr.com
Microsoft Outlook FAQ: http://www.factplace.com/outlook.htm

**I apologize but I am unable to respond to direct requests for assistance.
Please post questions and replies here in the newsgroup. Mahalo!