Microsoft Lync Server 2010 does not correctly reject the SUBSCRIBE request that is received when the value of the ms-source-verified-user parameter is unverified. Therefore, the Lync Server 2010 server cannot prevent spam instant message (SPIM) attacks that come from public IM clients, such as Windows Live Messenger, AOL, or Yahoo. Additionally, the public IM client users can verify the presence status, and send an instant message to Office Communicator 2007 R2 users.
This issue occurs because Lync Server 2010 calls the EdgeHeaderProcessor::ProcessInboundServerMessageNonEP() function when there is a message that contains an ms-edge-proxy-message-trust header. This function does not call the CSIPMessage::SetComputedUserValidation() function.
Note Office Communications Server 2007 R2 uses the CEPHeaderProcessor::ProcessIncomingMessage() function instead. This function calls the CSIPMessage::SetComputedUserValidation() function.
To resolve this issue, install the following cumulative update:
2592292 Description of the cumulative update for Lync Server 2010: August 2011