- [ Team LiB ]
Understanding Outlook's Security
One of Outlook's strengths is its programmability. Outlook supports VBA, enabling you
to use procedures to automate many mundane tasks. When you need more than VBA
provides, you can install COM add-ins to provide features that Microsoft didn't build into
A Component Object Model (COM) add-in is an application that
uses the host program's object model to access the host program's
interface. COM add-ins add features missing from the program or
improve on existing features.
Extended Reminders (www.slovaktech.com) is an example of a
COM add-in that adds a feature that Outlook is missing—the ability
to use reminders in any folder.
After a COM add-in is installed, it's listed in Tools, Options, Other,
Advanced Options, COM Add-ins.
This programmability comes with a high price tag: Anything you can do, virus writers
can do too, and they usually have destruction on their minds, not helping Outlook users
Outlook 2003 provides a good mix of security and usability. Microsoft assumes that you
know not to install add-ins or use VBA code that comes from questionable sources, so it
allowed Outlook to trust COM add-ins and project code. That means code now runs
without triggering annoying dialogs, such as the one shown in Figure 8.1.
Figure 8.1. The object model security dialog warns you when a program is trying to
send mail on your behalf.
- The responsibility to ensure that unsafe add-ins aren't installed now falls on your
shoulders, not Microsoft's. Plenty of safeguards are still built in, but in the end, keeping
your system secure and free from viruses, trojan horses, and worms is your responsibility,
and that's how it should be.
Even though Outlook is very secure, don't use it as an excuse to stop
using common sense when you receive questionable messages. Don't
open attachments you don't need. Always use an antivirus program and
keep the virus definitions current. Auto-protect settings will protect
you if a virus tries to run.
Outlook's first line of defense is Outlook Object Model (OOM) security. If you're using a
COM add-in that's not updated for Outlook 2003, you'll notice the most visible effect of
the OOM security: A warning dialog alerts you that something is trying to access email
addresses or send mail on your behalf (see Figure 8.2).
Figure 8.2. A second warning dialog displays as new messages are created. After the
green bar completes, you need to choose Yes or No to send the message.
As you can see from this figure, the dialog asks whether you want to allow it to send
email. In most cases, you'll want to choose Yes and allow it access for 1 to 10 minutes.
- However, if you're not sure what's causing the warning dialog to appear, play it safe and
Outlook Object Model Security
Outlook's object model security protects you by preventing untrusted code from
accessing your messages and address lists. When a program attempts to access your
Outlook data, you'll see one or both of the dialogs shown in the previous section in
Figures 8.1 and 8.2.
However, published Outlook forms, Visual Basic for Applications code, and properly
written Outlook COM add-ins won't trigger the security prompts for standalone users.
Exchange administrators will still be able to manage Outlook security through the
Outlook Security Settings folder and form.
The Office Resource Kit (available online at Microsoft) includes the
security form for Exchange Server and instructions on using it.
Exchange administrators install and administer the form, giving
permission to selected domain users and groups to avoid the security
If you use Exchange Server and want to avoid the security prompts,
you'll need to speak with your administrator.
Any attachment type that's executable is blocked by default. That
means any attachment that the computer can run directly, and shortcuts
to programs are blocked. This includes attachments with exe, scr, and
pif extensions. Files such as text files (txt) and images (jpg, gif) open,
but can't be run directly. You can edit Windows Registry to unblock the
extensions you need to access. Refer to Hour 6, "Working with Email
Attachments," to learn more.
Security in the Reading Pane
The Reading Pane is secure because it doesn't support active content. All potentially
dangerous attachments are blocked (including scripts) and Outlook no longer allows
iframes to display in email.
Open messages offer the same level of protection that you have with the Reading Pane,
so if you like using the Reading Pane, go ahead and use it.
Many HTML elements are disabled in email, including forms, submissions, and other
- active content. Open the message and choose View, View in Internet Zone if you need to
make the content. The message is displayed using the Internet Zone settings normally
used for browsing the Internet.
Never lower the security settings using the Tools, Options, Security tab—it's not safe to
do so. If the source is trustworthy, use the View, View in Internet Zone menu selection
when you need to reduce the security level on your email. Don't view messages from
unknown sources in the Internet zone.
Understanding Web Beacons
Also known as Web bugs, Web beacons are images with a URL that includes a code to
identify the email address it was sent to. Every time the image loads, the sender is
informed of the email address that viewed the message. This lets the sender know that the
email address is active and ripe for future mailings.
Although Web beacons are often used by spammers to verify valid email addresses,
they're also used by legitimate mailers, including many newsletters and advertisers, to
learn who reads the messages and which layouts or ad campaigns result in the highest
levels of readership.
Although Web beacons are a popular method for spammers to track
who reads their messages, they aren't the only ones who use them.
Many legitimate companies who send HTML-formatted email use
them to track their readers. Twice I've received messages from
companies asking why I don't read their email or stating that since it
appears I don't read their email, I'll be dropped from their mailing
list. They didn't know I was reading the mailings; I just wasn't letting
the Web beacon report back.
You can selectively show the images that are blocked by Outlook or disable Web beacon
blocking for all messages from specific domains or disable it for all email you receive.
Click on the InfoBar or right-click on any image placeholder in the message and select
Download Pictures to display the images in an individual message (see Figure 8.3).
Choose Change Automatic Download Settings to change the global options.
Figure 8.3. Messages containing external images show only the picture placeholders
and text informing you why the images are missing.
- You have four methods you can use to change how Outlook uses external content:
• Enable External Content Per Message— Click on the InfoBar or right-click in the
picture placeholder and choose Download Pictures.
• Enable External Content by Domain— Allow external content from domains on
the Safe Senders list or in the Internet Zone's Trusted list.
• Permit External Content for Trusted Senders— Allow content from addresses on
the Safe Senders list and in your Contacts folder to download automatically.
• Disable External Content Blocking— Download all external content
automatically. Not recommended.
Although I recommend against disabling the feature completely, trusting senders or
domains is an acceptable option.
Both the Junk E-mail filter and the Web beacon feature use the Safe
Senders, Safe Recipients, and Blocked Senders lists are.
- In most cases, using the Safe Senders and Safe Recipients lists is preferable to changing
your Internet Zone settings. Doing so gives you better security when browsing the
sender's Internet site, while allowing their images and external content to display in your
One of the Safe Sender options is Also Trust E-mail from My Contacts. I recommend
against choosing this option for several reasons:
• Most Outlook users include a contact for themselves in the Contacts folder.
Spammers are beginning to send messages to your address and using your address
in the From field. This allows the external content to download because Outlook
thinks it's from you, as well as prevents it from being treated as junk mail.
• Messages containing viruses that are sent from people in your Contacts folder
would be trusted—a bad move because many viruses fake their From address with
addresses found on the infected computer. Although there is no known exploit that
could take advantage of this feature, we don't know what the future might bring
and the risk isn't worth it.
• I don't need it—no one in my address book sends me messages containing external
content and I don't add newsletter and advertisers addresses to my address book.
Clicking once per message takes a second or I can add individuals or their domains to the
Safe Senders list as needed.
Recently, a spammer tried to trick me into adding his address to my
address book. The message was sent from Chris and the subject
mentioned he had a new email address. The only visible text in the
message asked me to update his address. I was suspicious and
checked the message source by right-clicking on the message body
and choosing View Source. I discovered a disclaimer in the HTML,
formatted as white text so that no one would see it, and a Web
beacon so that the spammer could see whether I read his message.
It's a good thing I didn't fall for his trick. Adding the address to my
address book would allow his messages to remain in my Inbox and
the external content to display.
I immediately added his domain to the Blocked Senders list.
Outlook, Outlook Express, and Internet Explorer share the security zone settings. That
means when you add a domain to the trusted zone, browsing the domain's Internet site is
also in the trusted zone. Use this option only when you already trust the Internet site
- because adding the domain to the Safe Senders list provides more protection with the
least amount of hassle.
Finally, if you really don't like Outlook blocking your external content on any of your
messages, you can disable the feature completely. This is not recommended; it's safer to
After you enable external content on a message using the InfoBar, it remains enabled on
that message and will download each time you view the message because external
content isn't cached locally.
When you use a dial-up Internet connection and work offline, blocking
external content prevents your modem from trying to dial every time
you select a message.
[ Team LiB ]