Apparently some versions of outlook actually generate giant thread-index headers. And they don't even wrap it properly.
http://archives.neohapsis.com/archives/postfix/2002-02/1116.html FWIW, it looks like a legitimate ad from scriptlogic. It's not forged, not an exploit, and seems to advertise one of their actual products. Of course, this begs the question of why scriptlogic has you on their advertising list, but that's another matter entirely. [EMAIL PROTECTED] wrote: > Got a nasty spam with an extremly oversized Thread-Index header. (I set > my word wrap to 72 characters, I don't know if it will hold up however > when I hit send). > > Does anyone know if it is exploiting a known Outlook/Exchange security > hole? > > The Thread-Index header seems to have caused Microsoft Outlook to "pick" > a friendly name from the users's address book and also hide the To: > header so it came through to undisclosed recipients. > The entire mail was 1.2megs so SpamAssassin of course did not scan it. > > From [EMAIL PROTECTED] Tue Aug 30 15:47:08 2005 > Return-Path: <[EMAIL PROTECTED]> > Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com > [65.248.131.18]) > by inpf1.XXXXXXXXXXX.com (Postfix) with ESMTP id 46F0231A829 > for <[EMAIL PROTECTED]>; Tue, 30 Aug 2005 15:47:01 -0400 (EDT) > X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 > Content-class: urn:content-classes:message > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----_=_NextPart_001_01C5AD9B.92851B9B" > Subject: Active Directory Security, Back up and Restore with Active > Administrator 4.0 > Date: Tue, 30 Aug 2005 15:46:53 -0400 > Message-ID: > <[EMAIL PROTECTED]> > X-MS-Has-Attach: > X-MS-TNEF-Correlator: > Thread-Topic: Active Directory Security, Back up and Restore with Active > Administrator 4.0 > Thread-Index: > AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZAAAAV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ9AAAA3v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aAAAAUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExAAAARVtAAABZkAAAAfq+AAAAMzMAAAISQ0AAAEZWAAAcICAAAAWeMAAAAJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6AAAAvoxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRAAAAZvQAAABhwAAAAkYfAAABOswAAAA98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDMAAAA9/0AADI60QAAARuXAAABMnAAAAJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyAAAATgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwAAAAayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKAAAAlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA > AFmBAAAAhm0AAABXSUAAAA3/oAAAqFAAAAFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRAAAAV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZAAAAMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDAAAACxIAAAAUGYAAB8mbAAAAeDGAAAAhmcAAAMMdAAAADXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7ZAAAAu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGAAAAKmCkAAAHt4gAAAhiAAAAISxAAAAmUmwAABGSpAAABEIUAAALSdgAAdDT2AAAAJhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGAAAALO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsAAAAph8AAABYNwAAAhuBAAAAXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2FbAAAAy1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8AAAAK2sAAgHZfQAADHilAAAAUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmAAAAOocAAAAqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQAAAA/ngAAACiDAAAA82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqAAAAjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAA AGDTwAAAXkn > AAAAM1MAAAArcQAABkikAAABo7UAAACh9gAADFfAAAAA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxAAAAJoUAAz9yDgAJOgxbAAAAK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOAAAAPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWAAAAKzMAAAAubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ > > From: "Jeffrey Colas" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > > >
