[原文]Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.
Outlook Express is the standard e-mail client that is shipped with Microsoft Windows 9x/ME/NT.
The address book in Outlook Express is normally configured to make entries for all addresses that are replied to by the user of the mail client. An attacker may construct a message header that tricks Address Book into making an entry for an untrusted user under the guise of a trusted one. This is done by sending a message with a misleading "From:" field. When the message is replied to then Address Book will make an entry which actually replies to the attacker.
Situation: 2 good users Target1 and Target2 with addresses email@example.com and
firstname.lastname@example.org and one bad user Attacker, email@example.com. Imagine Attacker wants to get
messages Target1 sends to Target2. Scenario:
1. Attacker composes message with headers:
From: "firstname.lastname@example.org" <email@example.com>
Reply-To: "firstname.lastname@example.org" <email@example.com>
To: Target1 <firstname.lastname@example.org>
Subject: how to catch you on Friday?
and sends it to email@example.com
2. Target1 receives mail, which looks absolutely like mail received from
firstname.lastname@example.org and replies it. Reply will be received by Attacker. In this case
new entry is created in address book pointing NAME "email@example.com" to
3. Now, if while composing new message Target1 directly types e-mail
address firstname.lastname@example.org instead of Target2, Outlook will compose address as
"email@example.com" <firstname.lastname@example.org> and message will be received by Attacker.