This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --=_e7bdb3b332fc1ef5caeab88408c00f4c Content-Type: text/plain; charset="iso-8859-1" I'm sending this from an Outlook 98 client. If you don't have message quoting on, then you are correct. It's tough to determine where a message is going, whether it's internal or external. For instance, when I hit the "Reply to all" button, it includes the following two entries in the To: field: Toby Chamberlain; BUGTRAQat_private (I removed Toby from the TO: field, since he should get this in the list) No mention of Toby's email address. It could be internal or external. I agree that MS should give some indication in the To: field that this isn't an internal address. Until such time that MS agrees with us, the simple work around is to make sure to use the "Include Original Message" option for replies and forwards. (TOOLS>OPTIONS>EMAIL OPTIONS, lower half of dialog.) Then, the original message is included, with the header outlined below. As you can see, the external email address is there for all to see. Even when you spoof it as outlined previously. Of course, this leaves open the possibility that users won't edit the "quoted" text for brevity, and we end up with exponentially growing mail. It's not the best solution, but MS may choose to not agree with us. Russ -----Original Message----- From: Toby Chamberlain [mailto:tobyat_private] Sent: Tuesday, May 04, 1999 6:05 PM To: BUGTRAQat_private Subject: Re: Outlook 98 allows spoofing internal users --=_e7bdb3b332fc1ef5caeab88408c00f4c Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2448.0"> <TITLE>RE: Outlook 98 allows spoofing internal users</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I'm sending this from an Outlook 98 client.</FONT> </P> <P><FONT SIZE=3D2>If you don't have message quoting on, then you are = correct. It's tough to determine where a message is going, whether it's = internal or external.</FONT></P> <P><FONT SIZE=3D2>For instance, when I hit the "Reply to all" = button, it includes the following two entries in the To: field:</FONT> </P> <P><FONT SIZE=3D2>Toby Chamberlain; BUGTRAQat_private</FONT> </P> <P><FONT SIZE=3D2>(I removed Toby from the TO: field, since he should = get this in the list)</FONT> </P> <P><FONT SIZE=3D2>No mention of Toby's email address. It could be = internal or external. I agree that MS should give some indication in = the To: field that this isn't an internal address. </FONT></P> <P><FONT SIZE=3D2>Until such time that MS agrees with us, the simple = work around is to make sure to use the "Include Original = Message" option for replies and forwards. = (TOOLS>OPTIONS>EMAIL OPTIONS, lower half of dialog.) Then, the = original message is included, with the header outlined below. As you = can see, the external email address is there for all to see. Even when = you spoof it as outlined previously. Of course, this leaves open the = possibility that users won't edit the "quoted" text for = brevity, and we end up with exponentially growing mail. </FONT></P> <P><FONT SIZE=3D2>It's not the best solution, but MS may choose to not = agree with us.</FONT> </P> <P><FONT SIZE=3D2>Russ</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Toby Chamberlain [<A = HREF=3D"mailto:tobyat_private">mailto:tobyat_private= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Tuesday, May 04, 1999 6:05 PM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: Re: Outlook 98 allows spoofing internal = users</FONT> </P> </BODY> </HTML> --=_e7bdb3b332fc1ef5caeab88408c00f4c--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:14 PDT