[rescue] (Offtopic) X-Message-Flag fun for Outlook  users

Jonathan C. Patschke jp at celestrion.net
Sun Jul 30 01:40:52 CDT 2006

On Sat, 29 Jul 2006, Lionel Peterson wrote:

> Is there really virtue in exploiting a "feature" in software to annoy
> folks on *this* list?

I set that message header on all outgoing mail, not just messages to
this list.

X-Message-Flag has uses far more sinister than merely annoying Outlook
users.  For example, consider the following:

   X-Message-Flag:  This message is digitally signed by the
     sender at somedomain.com, and proven authentic.

   X-Message-Flag:  This message was virus-scanned by Norton Anti-Virus,
     and its attachments are known to be clean

   X-Message-Flag:  This password request was initiated by your system
     administrator, postmaster at yourdomain.com.

The message, as it appears in the last version of Outlook I used, shows
up in the header portion of the email message, but hilighted in a muted
yellow color.  That is, it looks like a message from the mail-system
software, not from the remote sender.  The feature itself is a security
hole at a social-engineering level.

THAT is why I tend to "exploit" it.

Jonathan Patschke    )   "A man who never dreams goes slowly mad."
Elgin, TX           (      --Thomas Dolby, "Valley of the Mind's Eye"

More information about the rescue mailing list