Guarding Against Email Viruses

Until just a few years ago, the primary method that computer viruses used to propagate themselves was the floppy disk. A user with an infected machine would copy some files to a floppy, and the virus would surreptitiously add itself to the disk. When the recipient inserted the disk, the virus copy would come to life and infect yet another computer.

When the Internet became a big deal, viruses adapted and began propagating either via malicious websites or via infected program files downloaded to users' machines.

Over the past few years, however, by far the most productive method for viruses to replicate has been the humble email message. Melissa, I Love You, BadTrans, Sircam, Klez. The list of email viruses and Trojan horses is a long one, but they all operate more or less the same way: they arrive as a message attachment, often from someone you know. When you open the attachment, the virus infects your computer and then, without your knowledge, uses Outlook and your address book to ship out messages with more copies of itself attached. The nastier versions will also mess with your computer, including deleting data and corrupting files.

You can avoid getting infected by one of these viruses by implementing a few common-sense procedures:

Never open an attachment that comes from someone you don't know.
Even if you know the sender, if the attachment isn't something you're expecting, assume the sender's system is infected. Write back and confirm that he or she sent the message.
Some viruses come packaged as scripts that are hidden within messages that use the Rich Text or HTML formats. This means that the virus can run just by your viewing the message! If a message looks suspicious, don't open it, just delete it. (Note that you'll need to turn off the Outlook Reading pane before deleting the message. Otherwise, when you highlight the message, it will appear in the Reading pane and set off the virus. Select View, Reading Pane, Off.)
Install a top-of-the-line antivirus program, particularly one that checks incoming email. Also, be sure to keep your antivirus program's virus list up-to-date. As you read this, there are probably dozens, maybe even hundreds, of morally challenged scumnerds designing even nastier viruses. Regular updates will help you keep up.

Checking Antivirus Compatibility

Most major antivirus programs integrate well with Office 2003, meaning that the programs automatically run a virus scan on all Word, Excel, and PowerPoint documents that you open. To check whether your antivirus software integrates with Office, select Tools, Macro, Security in Word, Excel, or PowerPoint to open the Security dialog box. You'll know that your antivirus program is compatible with Office if you see the following message near the bottom of the Security Level tab:

     Virus scanner(s) installed

Besides these general procedures, Outlook also comes with its own set of virus-protection features. The next few sections show you how to use them.

Working with Security Zones

When implementing security for Internet Explorer, Microsoft realized that different sites have different security needs. For example, it makes sense to have fairly stringent security for Internet sites, but you can probably scale the security back a bit when browsing pages on your corporate intranet.

The way Internet Explorer handles security is to classify web pages according to different security zones. Each zone is a collection of web pages that implements a common security level. From the perspective of Outlook, you use the security zones to determine whether active content inside a HTML-format message is allowed to run.

Checking the Outlook Security Zone

To check your Outlook security zone setting, follow these steps:

1.	Select Tools, Options to display the Options dialog box.
2.	Select the Security tab.
3.	In the Zone list, you have two choices: Internet ZoneIf you choose this zone, active content is allowed to run. Restricted Sites ZoneIf you choose this option, active content is disabled. This is the default setting and it's the one I recommend.
4.	Click OK.

Changing a Zone's Security Level

To change the security level for a zone, display the Security tab and then click the Zone Settings button. When Outlook warns you that you're about to change security settings, click OK to display the Security dialog box. In the Select a Web Content Zone to Specify Its Security Settings list, select the zone you want to work with, then use the Security Level for This Zone slider to set the level. (If you don't see this slider, click Default Level.) To set up your own security settings, click Custom Level to display the Security Settings dialog box, which provides you with a long list of possible security issues. Your job is to specify how you want to handle each issue. You usually have three choices: Disable (security is turned on), Enable (security is turned off), or Prompt (you're asked how you want to handle the issue).

Viewing a Restricted Message Using the Internet Zone

The Restricted Sites zone blocks ActiveX controls, scripts, and other potentially unsafe content in HTML messages. Considering that such content is rarely required in an email message, you shouldn't feel like you're missing much when you use the Restricted Sites zone with Outlook. However, that doesn't mean that ActiveX controls and scripts are never useful in an email. Some data require active content, so you may occasionally get an email that doesn't display properly because of the Restricted Sites zone's proscriptions. Fortunately, you don't have to abandon the security of the Restricted Sites zone to view the active content of the occasional message. Instead, you can ask Outlook to view the message using the Internet Zone, which does allow active content. Here's how you do this:

Double-click the message to open it in its own window.

Select View, View in Internet Zone. Outlook displays the warning shown in Figure 15.1.

Figure 15.1. When you select the View in Internet Zone command, Outlook displays this warning message.

If you are absolutely certain that the message is safe, click Yes to allow the active content to run; if you have even the smallest doubt about the message's active content, click No.

Disabling HTML and Rich Text

Using the Restricted Sites zone gives you a high level of email security, but does it make email completely safe? I'd really like to be able to tell you that it does, but if the Internet's relatively short history tells us anything, it's that virus writers and other online miscreants always find a way around even the toughest restrictions. So even though I can't even imagine how someone would break through the Restricted Sites zone's barriers, I'm paranoid enough to believe that someday someone will do it.

If you're as paranoid as I am, you need to augment the Restricted Sites settings with the highest level of protection possible: plain text. That is, you need to tell Outlook to eschew HTML and Rich Text formatting and, instead, display all your messages using plain text: no fancy fonts, no colors, no HTML tags, no images, no sounds: just simple, unadorned text where no virus or other malicious content can hide. Here are the steps to follow:

1.	Select Tools, Options to display the Options dialog box.
2.	In the Preference tab, click E-mail Options.
3.	Activate the Read All Standard Mail in Plain Text check box.
4.	If you also want to view digitally signed messages as text-only, activate the Read All Digitally Signed Mail in Plain Text check box.
5.	Click OK.

When you receive an HTML or Rich Text message, Outlook converts the message to plain text when you view it either in the Reading pane or in its own window, as shown in Figure 15.2. Notice that the Information pane includes the following message:

 This message was converted to plain text.

Figure 15.2. When you view an HTML or Rich Text message, Outlook converts it to plain text.

Changing the Plain Text Font

The default plain text font is 10-point Courier New, which isn't particularly attractive as fonts go. To change the plain text font, select Tools, Options, display the Mail Format tab, and then click Fonts. Beside the When Composing and Reading Plain Text box, click Choose Font and then use the Font dialog box to select the font you prefer.

Note that this conversion is for display purposes only. The original message remains in its original format in your Inbox. To prove this for yourself, you can easily view the original formatting by clicking the Information pane and then clicking Display as HTML (refer to Figure 15.2). Outlook converts the message to its original format, as shown in Figure 15.3.

Figure 15.3. Click the Information pane and then click Display as HTML to view the message using its original formatting.

Handling Attachments

It is sobering to contemplate the billions of dollars and hundreds of thousands of man-hours lost because of major virus outbreaks over the past few years. It is saddening to realize that almost all of those outbreaks were started and escalated by a simple action repeated thousands of times: opening an email attachment. For Microsoft, it was no doubt frightening to realize that most of the damage was caused by Outlook users because, in most cases, these viruses took advantage of security holes to not only infect each user's PC, but also to pass along copies of the virus to other users.

Chastened by all of this, Microsoft designed Outlook 2003 with a grim determination to avoid similar problems. Most drastically, Microsoft identified around 70 file types that could potentially cause problems as attachments, and then simply disallowed the opening of those file types. Note that Microsoft didn't merely make it inconvenient to open these file types; no, they made it impossible without high-level tweaks (that I'll show you a bit later). If someone sends you, for instance, a file with the .exe extension (an executable file), Outlook displays the following message in the Information pane:

 Outlook blocked access to the following potentially unsafe attachments: filename

Here, filename is the name of the blocked file. If you select the File, Save Attachments command, the blocked file does not appear in the submenu. There is, in short, no way to view, open, or save the attachment.

Table 15.1 runs through all the file types and their associated extensions that Outlook 2003 blocks.

Table 15.1. File Extensions Blocked by Outlook on Incoming Attachments
Extension	File Type
.ade	Access Project Extension
.adp	Access Project
.app	Executable Application
.asp	Active Server Page
.bas	BASIC Source Code
.bat	Batch File
.cer	Internet Security Certificate
.chm	Compiled HTML Help
.cmd	Command File for Windows NT
.com	Command File
.cpl	Windows Control Panel Extension
.crt	Security Certificate
.csh	Unix C Shell Script
.exe	Executable File
.fxp	FoxPro Compiled Source
.hlp	Windows Help File
.hta	Hypertext Application
.inf	Information or Setup File
.ins	IIS Internet Communications Settings
.isp	IIS Internet Service Provider Settings
.its	Internet Document Set
.js	JavaScript Source Code
.jse	JScript Encoded Script File
.ksh	Unix korn Shell Script
.lnk	Windows Shortcut File
.mad	Access Module Shortcut
.maf	Access Form Shortcut
.mag	Access Diagram Shortcut
.mam	Access Macro Shortcut
.maq	Access Query Shortcut
.mar	Access Report Shortcut
.mas	Access Stored Procedures
.mat	Access Table Shortcut
.mau	Media Attachment Unit
.mav	Access View Shortcut
.maw	Access Data Access Page
.mda	Access Add-in
.mdb	Access Application, Access Database
.mde	Access MDE Database File
.mdt	Access Add-in Data
.mdw	Access Workgroup Information
.mdz	Access Wizard Template
.msc	Microsoft Management Console Snap-in Control File
.msi	Windows Installer File
.msp	Windows Installer Patch
.mst	Windows SDK Setup Transform Script
.ops	Office Profile Settings File
.pcd	Visual Test Script
.pif	Windows Program Information File
.prf	Windows System File
.prg	Program File
.pst	Outlook Personal Folder File
.reg	Registry Data File
.scf	Windows Explorer Command
.scr	Windows Screen Saver
.sct	Windows Script Component, Foxpro Screen
.shb	Windows Shortcut into a Document
.shs	Shell Scrap Object File
.tmp	Temporary File/Folder
.url	Internet Uniform Resource Locator
.vb	VBScript File, Visual Basic Source
.vbe	VBScript Encoded Script File
.vbs	VBScript Script, VBA Script
.vsmacros	Visual Studio .NET Binary-based Macro Project
.vss	Visio Stencil
.vst	Visio Template
.vsw	Visio Workspace File
.ws	Windows Script File
.wsc	Windows Script Component
.wsf	Windows Script File
.wsh	Windows Script Host Settings File

There is, to be sure, much that is potentially dangerous in Table 15.1, but also much that is potentially useful: Registry files, screen savers, Access databases, and batch files, to name just a few. How do you sneak such files past Outlook in cases where you know the files are safe? Here are some ideas:

Compress the file into a ZIP archive. The .zip extension isn't blocked by Outlook, so your recipient can easily open or save the archive and then extract the original file.
Rename the file's extension to one that isn't listed in Table 15.1. For example, rename script.wsh to script.wsh.delete. When your recipient saves the attachment, he or she can remove the extra extension to restore the original filename.
If you have a website, put a copy of the file on the site and then send the file's URL in the message instead of the file itself.
If you're working on a network, put a copy of the file in a shared network folder and then put the folder's network address in your message instead of attaching the file.

Virus-Check the Files!

No matter how you fool or bypass Outlook's attachment security, you still need to be smart about the attachments themselves. That is, always scan the files for viruses before opening them.

If you regularly get attachments of a certain file type, the preceding solutions may be more of a hassle than they're worth. Fortunately, there is a Registry tweak you can perform that enables you to specify one or more extensions that Outlook should open with less paranoia. Notice that I didn't say with no paranoia; even with the tweak, you still have a hurdle or two to jump through. To see why, first understand that the file types in Table 15.1 are what Microsoft calls Level 1 file types. With Level 1, you don't get access to the files, period. However, Microsoft also defines Level 2 file types. With these file types, you can access them as attachments, but only by first saving the files to your hard disk. That is, you can't open the files directly from the message. The assumption here is that saving the files to your hard disk gives you the opportunity to virus-check the files before opening them.

To specify a file type as Level 2 (there are no default Level 2 file types in Outlook 2003), follow these steps:

Open the Registry Editor.

For detailed information on using the Registry and the Registry Editor, see Appendix A, "Working with the Windows Registry," p. 507

Navigate to the following key:

 HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security

Select Edit, New, String Value.

Type Level1Remove and press Enter.

Press Enter to open the Level1Remove setting.

Type the extension of each file type you want to move to Level 2, separated by semicolons. For example, the following string moves the Registry Data File, Screen Saver, and Access Database file types to Level 2:

 .reg;.scr;.mdb

Shut down and restart Outlook to put the new setting into effect.

When you attempt to open a Level 2 file type attachment from a message, Outlook displays the warning dialog box shown in Figure 15.4. You need to click the Save to Disk button to save the attachment to your hard disk before you can open it.

Figure 15.4. You can work with Level 2 file types, but you must save them to your hard disk before you can open them.

Controlling Third-Party Access to Your Contacts

One of the biggest reasons that some recent email viruses have done such damage is that they've found a powerful new way to propagate themselves: they access the user's Contacts list and use it to send out dozens of new messages, each with its own infected file attached. In fact, it's not at all hard to access the Contacts list programmatically. Listing 15.1 shows a short bit of VBA code that does just that.

This Chapter's Examples

You'll find Outlook code used as examples in this chapter on my website at www.mcfedries.com/OfficeGurus.

Listing 15.1. A Procedure That Accesses the Outlook Contacts List from Another Application

 Sub AccessOutlookAddressBook()     Dim ol As Outlook.Application ' Outlook Automation object     Dim ns As Namespace           ' Outlook NameSpace object     Dim addr As AddressEntry      ' Outlook AddressEntry object     '     ' Establish a connection and log on to Outlook     '     Set ol = CreateObject("Outlook.Application")     Set ns = ol.GetNamespace("MAPI")     ns.Logon     '     ' Grab the first Contacts address     ' This is where the Address Book security kicks in      '     Set addr = ns.AddressLists("Contacts").AddressEntries(1)     '     ' Display the name and address     '     MsgBox "The first Contacts entry is " & _             addr.name & " <" & addr.Address & ">"     '     ' Log off the session and clear the objects     '     ns.Logoff     Set addr = Nothing     Set ns = Nothing     Set ol = Nothing End Sub

Referencing the Outlook Object Library

For the code in Listing 15.1 to work, your VBA project must include a reference to Outlook's object library. To set up that reference, select Tools, References to display the References dialog box. In the Available References list, activate the check box beside Microsoft Outlook 11.0 Object Library, and then click OK.

In Outlook 2003 (as well as older versions of Outlook with the E-mail Security Update installed), programmatic access to Contacts isn't forbidden (many legitimate applications require it), but it is monitored. When Outlook detects a script accessing any AddressList object, it immediately displays the dialog box shown in Figure 15.5. You now have two choices:

If you're not running any applications that require access to your Contacts list, some funny business is almost certainly going on, so you should click No to prevent access.
If you know the access is legitimate, activate the Allow Access For check box, select a time value in the list, and then click Yes.

Figure 15.5. Outlook enables you to control whether a script can access your Contacts list.

Other Ways to Trigger the Warning

If you're writing VBA code or running third-party applications, you should know that a few other VBA techniques also trigger the warning dialog box shown in Figure 15.5. For example, if your code uses the Body or HTMLBody properties of a message, the warning appears because some malicious code uses these properties to extract addresses from the body text of stored messages. Similarly, the warning appears if the WordEditor and HTMLEditor properties are used, because these return the Word document object model and the HTML document object model, respectively, both of which can be used to compromise security.

Controlling Third-Party Access to Sending Messages

It's still possible for a virus or script to propagate itself without accessing your Contacts list. For example, it might have its own database of addresses. For that reason, Outlook also guards against third-party scripts that send messages. Listing 15.2 shows such a procedure, which you can run from Word, Excel, or PowerPoint.

Listing 15.2. A Procedure That Sends an Email Message from Another Application

 Sub SendMessage()     Dim ol As Outlook.Application ' Outlook Automation object     Dim ns As Namespace           ' Outlook NameSpace object     Dim mi As MailItem            ' Outlook Mailitem object     '     ' Establish a connection and log on to Outlook     '     Set ol = CreateObject("Outlook.Application")     Set ns = ol.GetNamespace("MAPI")     ns.Logon     '     ' Create a new message     '     Set mi = ol.CreateItem(olMailItem)     '     ' Add a recipient without using Contacts     '     mi.To = "blah@yadda.com"     mi.Subject = "Just Testing"     '     ' Send it     ' This is where the Send security kicks in     '     mi.Send     '     ' Log off the session     '     ns.Logoff     Set mi = Nothing     Set ns = Nothing     Set ol = Nothing End Sub

As with access to the Contacts list, third-party sending requires your permission, so Outlook displays the dialog box shown in Figure 15.6. Again, click Yes to allow the send or click No to block it.