RE: MS Exchange 'Recall' feature - Possible to delete mail?

["Aditya" <adityald3 () gmx net>]

Yes for a specially crafted message with the proper attachment will do the job the winmail.dat file is a the internal 
format of the mail of exchange / outlook which instructs the exchange to do the job but creating the attachment itself 
requires considerable skill and also requires the message id of the email to be deleted - not a trival task to get from 
a system from which you have no access!

Aditya Lalit Deshmukh
Enterprise Security Solutions
aditya () online nailed org 

-----Original Message-----
From: Viraj Alankar [mailto:valankar () access4less net]
Sent: Monday, August 25, 2003 7:26 AM
To: vuln-dev () securityfocus org
Subject: MS Exchange 'Recall' feature - Possible to delete mail?


Hello,

I don't run Exchange but recently came across it's 'recall message'
functionality. To me, it just seems dangerous to allow a sender to delete a
message from a recipient's mailbox. I understand this will only work for
Exchange systems, but is it possible for a malicious user outside the
network/domain to send fake 'recall' messages and delete users' mail? Also,
even within an Exchange network, would it be possible for a malicious employee
to delete another employee's mail that they did not send?

All I can tell from these 'recall' messages are that there is the header:

X-MAPI-Message-Class: IPM.Outlook.Recall
Subject: Recall: subject

And a winmail.dat TNEF attachment.

Anyone know much more about this?

Viraj.


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

Attachment: Mr. Aditya Lalit Deshmukh.vcf
Description: