[原文]Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.
Outlook Express is the standard e-mail client that is shipped with Microsoft Windows 9x/ME/NT.
The address book in Outlook Express is normally configured to make entries for all addresses that are replied to by the user of the mail client. An attacker may construct a message header that tricks Address Book into making an entry for an untrusted user under the guise of a trusted one. This is done by sending a message with a misleading "From:" field. When the message is replied to then Address Book will make an entry which actually replies to the attacker.
Situation: 2 good users Target1 and Target2 with addresses firstname.lastname@example.org and
email@example.com and one bad user Attacker, firstname.lastname@example.org. Imagine Attacker wants to get
messages Target1 sends to Target2. Scenario:
1. Attacker composes message with headers:
From: "email@example.com" <firstname.lastname@example.org>
Reply-To: "email@example.com" <firstname.lastname@example.org>
To: Target1 <email@example.com>
Subject: how to catch you on Friday?
and sends it to firstname.lastname@example.org
2. Target1 receives mail, which looks absolutely like mail received from
email@example.com and replies it. Reply will be received by Attacker. In this case
new entry is created in address book pointing NAME "firstname.lastname@example.org" to
3. Now, if while composing new message Target1 directly types e-mail
address email@example.com instead of Target2, Outlook will compose address as
"firstname.lastname@example.org" <email@example.com> and message will be received by Attacker.