An unauthenticated user can use Outlook Web Access (OWA) to harvest all the email addresses from an organization's Exchange Server 5.5 Global Address List (GAL). Microsoft has issued a patch for this vulnerability. This vulnerability doesn't affect Exchange 2000.

http://www.microsoft.com/technet/security/bulletin/MS01-047.asp