>>Within the SMTP header, when the From field contains multiple comma-separated addresses, Outlook and OWA will only display the first address. Why is this called a "spoofing vulnerability"? It's not like the From: address in SMTP is reliable anyway. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer@xxxxxxxxxxxxx