Microsoft email clients in Outlook, Exchange, and Windows Messaging automatically respond to Read Receipt and Delivery Receipt tags. This vulnerability allows an attacker to flood a mail system with responses by forging a Read Receipt request that is redirected to a large distribution list, potentially leading to denial-of-service (DoS) attacks or spamming.
You're affected if you use Microsoft Outlook 2000 or later versions. Check with: net send /noprofile read receipt in the Command Prompt (Windows only).
Note: This vulnerability is specific to Microsoft email clients and not related to other email services like Gmail or Yahoo.
Upgrade to Microsoft Outlook 2003 or later.
- Alternatively, disable Read Receipt and Delivery Receipt tags using Group Policy Editor (gpedit.msc) on Windows systems.
- For immediate mitigations:
- Use a network-based solution to filter out malicious responses (e.g., using a spam filter).
- Monitor mail server logs for suspicious activity.