Q: Microsoft Outlook

["Craig, Scott" <SCraig () kmart com>]

Does anyone know if the recall/replace feature within Microsoft Outlook is
exploitable?
 
What is done to ensure the recall is actually from the sender?
 
------
 
If it requires knowing the specific details of a message, (date/time sent,
subject, etc) then maybe an exploit would be limited to deleting broadcast
type emails. Some companies may send out numerous announcements.
 
I was thinking if I used an email client on a Unix box that would connect
into a POP port for an exchange server, it may be possible to see the entire
headers, without an operation taking place. 
 
-------
 
The help text for doing the normal operation is as such:
"
Recall or replace a message you've already sent
 
You can recall or replace only those messages you sent to recipients who are
logged on and using Outlook and who have not read the message or moved the
message out of their Inboxes.
 
1 If the Folder List is not visible, click the View menu, and then click
Folder List.
2 Click Sent Items.
3 Open the message you want to recall or replace.
4 On the Actions menu, click Recall This Message.
5 To recall the message, click Delete unread copies of this message.
 
To replace the message with another, click Delete unread copies and replace
with a new message, click OK, and then type a new message.
 
6 To be notified about the success of the recall or replacement for each
recipient, select the Tell me if recall succeeds or fails for each recipient
check box.
 
Note   To replace a message, you must send a new one. If you do not send the
new item, the original message is still recalled.
"