Y'know, there's an even simpler attack with the same premise. You
intercept an encrypted e-mail from Alice to Bob. You take the mail
body out of the message and send that body to Bob under your e-mail
address (or under some address you control that Bob might mistake for
Alice's, which would be even better). Bob decrypts the message and
replies to it, including the original message body by default.
The mistake here, on Bob's part, is to reply to a message without
paying attention to the e-mail address being used
The Flaw I see (on the whole attack) is:
Why should anybody relpy cleartext to an encrypted messge?
especialy if it contains (even parts) of the encrypted message?
And if anybody does, why he's using encryption at all?!?
If a reply is sent at all, it should be encrypted, so an interceptor
has the same problem with the reply - he needs to break the key.
And if it's the sender himself who want's to cheat him, he knows
the message content very well, so what does he want to gain?!?
The whole attack looks very suspicious to me...