Alexander Klink at Cynops GmbH has made public a new vulnerability of Microsoft Crypto API that allows spammers to check is a given user has valid email address. As described in his white paper, "HTTP over X.509 - a whitepaper":
Microsoft Outlook and Windows Live Mail (the successor of Outlook Express) both support the S/MIME standard for signed and encrypted emails. When opening an S/MIME-signed email (even using just the preview pane), the applications will try to fetch the URIs specified in the certificate using the Microsoft CryptoAPI. This vulnerability could for example be used by spammers to verify email addresses and that their email has not been filtered by a spam filter on the mail server. Note that this is computationally cheap for the spammer, as the S/MIME signature does not even have to be valid. Combined with IP geolocation, the spammer could also learn where the user fetches his mail from, which could be used in targeted advertising or phishing attacks.
May this be the beginning of a new spam epidemic? I believe that are few the opportunities like this one, that spammers have to reach so many users. The kind of things spammers have been routinely doing with images (no longer loaded automatically by email clients), clearly show that they can not waste such an opportunity.
Happily, my email client Thunderbird is not affected by this vulnerability :-)