BUG: Deleting Exchange 5.5 Mailbox with LDAP Poses Security Risk

Using LDAP to delete an Exchange 5.5 mailbox deletes the directory object but not the associated messages and folders in the information store. If a new mailbox with the same distinguished name (DN) is created, regardless of the Windows NT account associated with the new mailbox, the contents of the old information store become available to the new mailbox.

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

Steps to Reproduce Behavior

1. Create a mailbox using the Exchange Administration Program (Admin.exe).
2. Send mail to the mailbox.
3. Use LDP.exe (or another LDAP based tool) to delete the mailbox.
4. Recreate a mailbox with the same DN and a different associated Windows NT account using the Exchange Administrator program. To create a user with the same distinguished name, that it has been created in the same container as the previous mailbox and has the same directory name. The directory name is viewable on the Advanced tab of the mailbox.
5. Log in to the mailbox you made in step 4 and read mail sent before deletion.

For additional information on how to use the LDP.exe file, click the article number below to view the article in the Microsoft Knowledge Base: For additional information on a related DAPI BatchImport bug that was fixed in Exchange 5.5 SP1, click the article number below to view the article in the Microsoft Knowledge Base: