Understanding Outlook s Security

Understanding Outlook's Security

One of Outlook's strengths is its programmability. Outlook supports VBA, enabling you to use procedures to automate many mundane tasks . When you need more than VBA provides, you can install COM add-ins to provide features that Microsoft didn't build into Outlook.

A Component Object Model (COM) add-in is an application that uses the host program's object model to access the host program's interface. COM add-ins add features missing from the program or improve on existing features. Extended Reminders (www.slovaktech.com) is an example of a COM add-in that adds a feature that Outlook is missing ”the ability to use reminders in any folder. After a COM add-in is installed, it's listed in T ools, O ptions, Other, Advanced O ptions, C O M Add-ins.

This programmability comes with a high price tag: Anything you can do, virus writers can do too, and they usually have destruction on their minds, not helping Outlook users work smarter .

Outlook 2003 provides a good mix of security and usability. Microsoft assumes that you know not to install add-ins or use VBA code that comes from questionable sources, so it allowed Outlook to trust COM add-ins and project code. That means code now runs without triggering annoying dialogs, such as the one shown in Figure 8.1.

The responsibility to ensure that unsafe add-ins aren't installed now falls on your shoulders, not Microsoft's. Plenty of safeguards are still built in, but in the end, keeping your system secure and free from viruses, trojan horses, and worms is your responsibility, and that's how it should be.

Even though Outlook is very secure, don't use it as an excuse to stop using common sense when you receive questionable messages. Don't open attachments you don't need. Always use an antivirus program and keep the virus definitions current. Auto-protect settings will protect you if a virus tries to run.

Outlook's first line of defense is Outlook Object Model (OOM) security. If you're using a COM add-in that's not updated for Outlook 2003, you'll notice the most visible effect of the OOM security: A warning dialog alerts you that something is trying to access email addresses or send mail on your behalf (see Figure 8.2).

As you can see from this figure, the dialog asks whether you want to allow it to send email. In most cases, you'll want to choose Yes and allow it access for 1 to 10 minutes. However, if you're not sure what's causing the warning dialog to appear, play it safe and choose N o.

Outlook Object Model Security

Outlook's object model security protects you by preventing untrusted code from accessing your messages and address lists. When a program attempts to access your Outlook data, you'll see one or both of the dialogs shown in the previous section in Figures 8.1 and 8.2.

However, published Outlook forms, Visual Basic for Applications code, and properly written Outlook COM add-ins won't trigger the security prompts for standalone users. Exchange administrators will still be able to manage Outlook security through the Outlook Security Settings folder and form.

The Office Resource Kit (available online at Microsoft) includes the security form for Exchange Server and instructions on using it. Exchange administrators install and administer the form, giving permission to selected domain users and groups to avoid the security prompt. If you use Exchange Server and want to avoid the security prompts, you'll need to speak with your administrator.

Any attachment type that's executable is blocked by default. That means any attachment that the computer can run directly, and shortcuts to programs are blocked. This includes attachments with exe , scr , and pif extensions. Files such as text files ( txt ) and images ( jpg , gif ) open, but can't be run directly. You can edit Windows Registry to unblock the extensions you need to access. Refer to Hour 6, "Working with Email Attachments," to learn more.

Security in the Reading Pane

The Reading Pane is secure because it doesn't support active content. All potentially dangerous attachments are blocked (including scripts) and Outlook no longer allows iframes to display in email.

Open messages offer the same level of protection that you have with the Reading Pane, so if you like using the Reading Pane, go ahead and use it.

Many HTML elements are disabled in email, including forms, submissions, and other active content. Open the message and choose V iew, View in Internet Z one if you need to make the content. The message is displayed using the Internet Zone settings normally used for browsing the Internet.

Never lower the security settings using the T ools, O ptions, Security tab ”it's not safe to do so. If the source is trustworthy, use the V iew, View in Internet Z one menu selection when you need to reduce the security level on your email. Don't view messages from unknown sources in the Internet zone.

Understanding Web Beacons

Also known as Web bugs , Web beacons are images with a URL that includes a code to identify the email address it was sent to. Every time the image loads, the sender is informed of the email address that viewed the message. This lets the sender know that the email address is active and ripe for future mailings .

Although Web beacons are often used by spammers to verify valid email addresses, they're also used by legitimate mailers, including many newsletters and advertisers, to learn who reads the messages and which layouts or ad campaigns result in the highest levels of readership .

Although Web beacons are a popular method for spammers to track who reads their messages, they aren't the only ones who use them. Many legitimate companies who send HTML-formatted email use them to track their readers. Twice I've received messages from companies asking why I don't read their email or stating that since it appears I don't read their email, I'll be dropped from their mailing list. They didn't know I was reading the mailings; I just wasn't letting the Web beacon report back.

You can selectively show the images that are blocked by Outlook or disable Web beacon blocking for all messages from specific domains or disable it for all email you receive. Click on the InfoBar or right-click on any image placeholder in the message and select Download Pictures to display the images in an individual message (see Figure 8.3). Choose C hange Automatic Download Settings to change the global options.

You have four methods you can use to change how Outlook uses external content:

• Enable External Content Per Message ” Click on the InfoBar or right-click in the picture placeholder and choose Download P ictures.

• Enable External Content by Domain ” Allow external content from domains on the Safe Senders list or in the Internet Zone's Trusted list.

• Permit External Content for Trusted Senders ” Allow content from addresses on the Safe Senders list and in your Contacts folder to download automatically.

• Disable External Content Blocking ” Download all external content automatically. Not recommended.

Although I recommend against disabling the feature completely, trusting senders or domains is an acceptable option.

Both the Junk E-mail filter and the Web beacon feature use the Safe Senders, Safe Recipients, and Blocked Senders lists are.

In most cases, using the Safe Senders and Safe Recipients lists is preferable to changing your Internet Zone settings. Doing so gives you better security when browsing the sender's Internet site, while allowing their images and external content to display in your email.

One of the Safe Sender options is Also Trust E-mail from My C ontacts. I recommend against choosing this option for several reasons:

• Most Outlook users include a contact for themselves in the Contacts folder. Spammers are beginning to send messages to your address and using your address in the From field. This allows the external content to download because Outlook thinks it's from you, as well as prevents it from being treated as junk mail.

• Messages containing viruses that are sent from people in your Contacts folder would be trusted ”a bad move because many viruses fake their From address with addresses found on the infected computer. Although there is no known exploit that could take advantage of this feature, we don't know what the future might bring and the risk isn't worth it.

• I don't need it ”no one in my address book sends me messages containing external content and I don't add newsletter and advertisers addresses to my address book.

Clicking once per message takes a second or I can add individuals or their domains to the Safe Senders list as needed.

Recently, a spammer tried to trick me into adding his address to my address book. The message was sent from Chris and the subject mentioned he had a new email address. The only visible text in the message asked me to update his address. I was suspicious and checked the message source by right-clicking on the message body and choosing View S ource. I discovered a disclaimer in the HTML, formatted as white text so that no one would see it, and a Web beacon so that the spammer could see whether I read his message. It's a good thing I didn't fall for his trick. Adding the address to my address book would allow his messages to remain in my Inbox and the external content to display. I immediately added his domain to the Blocked Senders list.

Outlook, Outlook Express, and Internet Explorer share the security zone settings. That means when you add a domain to the trusted zone, browsing the domain's Internet site is also in the trusted zone. Use this option only when you already trust the Internet site because adding the domain to the Safe Senders list provides more protection with the least amount of hassle.

Finally, if you really don't like Outlook blocking your external content on any of your messages, you can disable the feature completely. This is not recommended; it's safer to trust senders.

After you enable external content on a message using the InfoBar, it remains enabled on that message and will download each time you view the message because external content isn't cached locally.

When you use a dial-up Internet connection and work offline, blocking external content prevents your modem from trying to dial every time you select a message.