A new feature in Microsoft Outlook Express could result in users sending thousands of email messages to the same mailbox, the company confirmed today.
Microsoft's email program includes a feature that allows users to break down large email attachments, which are sometimes blocked by Internet service providers. These files, which can be as small as 16k, are then sent individually to the same email account.
If an extremely large file is sent out as an attachment, it could be broken up into thousands of small files, according to BugNet editor Bruce Brown, who sent out an alert about the potential problem this morning. Although there are no cases yet of actual "mail bombing" using Outlook Express, he said the potential to cause havoc exists.
"This is a very useful tool for someone who would wish to do ill to someone else," Brown said. "It's a really effective way to send a lot of email very quickly, if your purposes are malevolent."
Many email programs such as Qualcomm's Eudora and Outlook Express will read the attachments as a single file, and thus not be affected by the problem, according to Brad Dameron, an owner of TSCNet, the ISP where the problem was discovered. Dameron characterized the situation as a "feature with the potential to be a problem."
"A good mail program will take those messages and encode it in a file," Dameron said. "With text-based emailers through Unix shells, you're going to see all 1,000 of those emails."
Microsoft confirmed that the feature could result in thousands of email messages being sent to the same email account but noted that the file fragmentation option was incorporated because of customer demand. No users have actually reported such a problem, a spokesman for Microsoft added.
"We consider it a feature, a good feature," said Bill Zolna, a spokesman for Microsoft. "It's certainly not a bug, and we do not consider it a problem." Still, Microsoft will add a dialog box to Outlook Express to warn users of the potential problem when sending out email messages with large attachments, Zolna said.
"The minimum file size should be set higher," Brown said. "But we're pleased that they've acknowledged there is a problem. It's a useful feature--and we don't want to lose the baby with the bath water."