The following is tip #20 from "20 Tips on securing Outlook in 20 minutes," excerpted from a chapter in Paul Robichaux's book, Secure Messaging with Microsoft Exchange Server 2003 © 2004, published by Microsoft Press. Return
to the main page for more tips on this topic.
Apart from the well-known tools discussed earlier, Outlook also has some additional security capabilities. Depending on what you're doing with Outlook, these might or might not be useful to you.
Configuring the Outlook Junk Mail Filter
Outlook's Junk Mail Filter, based on work originally done by Microsoft Research, is a very handy piece of technology. In previous versions of Outlook, Microsoft shipped some junk mail filters that did an acceptable job with the style and volume of spam that was prevalent at the time. The onslaught of spam we face now, however, calls for tougher measures. Outlook's filters are designed to provide automatic, client-side filtering that works in conjunction with the Exchange Information Store and perimeter filters. However, the Outlook filters give good results even when used against IMAP or POP accounts.
In addition to the built-in junk filter rules, which you cannot view or change, Outlook gives you another mechanism to control how mail is processed. There are three lists stored for each mailbox, either in the local PST file or the Exchange mailbox; when the lists are stored in the Exchange mailbox, they're available to the user whenever he or she logs in to Outlook or Outlook Web Access. The lists will probably sound pretty familiar:
- The Safe Senders list contains e-mail addresses and domains that the user explicitly
trusts. Mail sent from one of these addresses will never be flagged as junk. For example, my
Safe Senders list contains microsoft.com so that mail sent from Microsoft addresses will
never be flagged as junk.
- The Safe Recipients list contains e-mail addresses and domains that the user expects to
receive mail from. For users who have multiple e-mail services in a single profile, adding
the Exchange mailbox's address to the Safe Recipients list prevents any mail sent to that
address from being flagged as junk.
- The Blocked Senders list is for people and organizations that you don't want to receive mail from. As with the Safe Recipients list, you can add individual domains or addresses to this list. Messages whose sender address or sender domain appear on this list are flagged as junk.
If you add the same sender or domain to the Safe Senders and Blocked Senders list (either accidentally or on purpose), Outlook errs on the side of conservatism and treats the message as safe.
Working with the Junk Mail Filters
Using the Junk Mail Filter is easy: as mail arrives, it's filtered, with varying degrees of aggressiveness, into the Junk E-Mail folder. You can inspect the contents of that folder at any time, deleting messages or marking them as you see fit.
The Junk E-Mail Options dialog box is accessible from the Junk E-Mail button on the General tab. You use this dialog box primarily to control the level of aggressiveness of the Junk Mail Filter. There are four levels:
- When you choose the No Automatic Filtering radio option, blocked senders' mail is still
moved to the junk folder, but the Junk Mail Filter itself is not run, so junk messages still
end up in your Inbox. Because this level doesn't block inbound spam at all, it's probably
not the best choice for most environments.
- The Low option is the default setting; when the Junk Mail Filter is set to this level,
"obvious" junk mail is filtered. I don't know exactly what "obvious" means in this context,
but this setting does a decent job of catching most spam messages that escape common
perimeter filters, and it has a very low false-positive rate.
- The High option turns the Junk Mail Filter up a notch; in this mode, Outlook is much
more aggressive about mail that arouses its suspicions. As the option description in the
dialog box notes, though, this mode might sidetrack some legitimate mail, too, so you should
check the Junk E-Mail folder frequently.
- The Safe Lists Only option is the ne plus ultra of spam filters: any inbound mail
whose sender isn't on your Safe Senders or Safe Recipients list will go straight to the Junk
E-Mail folder. This is a great way to limit the amount of mail you have to look at, but it
will probably take a while until you get the Safe lists fleshed out enough for this mode to
- The Permanently Delete Suspected Junk E-Mail check box is dangerous but useful. When you select it, Outlook removes any message that it otherwise would store in the Junk E-Mail folder. This minimizes the amount of time you have to spend cleaning up the junk folder, but it increases the risk that Outlook will delete some mail that you really wanted it to keep. In most cases, it's safer to leave this off, but if you have high spam traffic and you're comfortable with the filtering decisions of the Junk Mail Filter in Low mode, you might want to turn this option on.
As with most other Outlook 2003 settings, you can use GPOs to deploy and enforce these settings for users; look under User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Tools | Options | Preferences | Junk Mail in the Outlk11.adm GPO template.
Tweaking the Safe and Blocked Lists
What about adjusting the filtering lists? To add a message sender or recipient address to the Safe Senders, Safe Recipients, or Blocked Senders lists, you have two choices: you can use the tabs in the Junk E-Mail Options dialog box to manage the lists, or you can right-click individual messages and use the Junk E-Mail command on the shortcut menu to add the sender or recipient address or domain to the appropriate list. The tabs give you a greater degree of functionality, because they also include buttons for importing and exporting their respective lists to disk files. This is handy because it provides a way to quickly clone one mailbox's settings to other mailboxes on a small scale (for larger scale cloning, read on).
Creating Standardized Filter Lists
You can easily create a standardized set of Safe Senders, Safe Recipients, and Blocked Senders lists and deploy them as part of your initial Outlook 2003 deployment. You'll need to create the lists on a test computer, then use the Export To File button in each list's tab to save the files with unique names. Once that's done, you can use the Office Custom Installation Wizard to package the lists for deployment with Outlook. As described in the Office Resource Kit section on deploying Outlook 2003, the Custom Installation Wizard allows you to individually specify files for these lists and whether you want Outlook's setup routine to overwrite existing lists or append the new list to whatever the user's already defined.
Controlling Automatic Image Downloads
One favorite trick of spammers is the use of beacons or Web bugs -- small (usually 1×1) images embedded in HTML e-mail. When the e-mail is opened, most HTML-aware e-mail clients attempt to fetch the embedded image from a server; a savvy spammer can use the Web server's logs (combined with information embedded in the message) to track information about the user who opened the message. It's very difficult to distinguish between legitimate images embedded in mail and those that serve as beacons, so Outlook 2003 helpfully defaults to not fetching any images linked to remote servers in HTML mail.
This behavior is controlled through the Change Automatic Download Settings button, which sharp-eyed readers might have noticed on the Security tab shown earlier in Figure 13-8. When you click this button, you'll see the Automatic Picture Download Settings dialog box shown in Figure 13-16; you can also open this dialog box by right-clicking an image placeholder and choosing the Change Automatic Download Settings command. The options in this dialog box are pretty straightforward:
- The Don't Download Pictures Or Other Content Automatically in HTML E-Mail check box is
selected by default; when it's selected, Outlook does not load images tagged with the IMG
SRC tag if they point to a remote server. However, the behavior of this check box is
modified by the two following check boxes.
- The Permit Downloads In E-Mail Messages check box allows you to specify that you want
images embedded in e-mail from people you trust. This is a handy way to bypass the default
image blocking of Outlook for your mom, spouse, mailing lists, newsletters, or other sources
that you trust not to spam you with Web bugs. This option is on by default.
- The Permit Downloads From Web Sites check box controls whether Outlook downloads images
where the tags point to sites in the Trusted IE security zone. Enabling this option allows
Outlook to automatically download images only if the IMG tag points to a site that's in the
Trusted security zone. Because you should already be careful about what sites you put in
that zone, this option is on by default.
- No matter what settings you apply here, Outlook will download embedded images when you forward or reply to an HTML message that contains them. This can effectively negate the protection you got in the first place, although you probably shouldn't be responding to spammers' messages anyway. The Warn Me Before Downloading Content When Editing, Forwarding, Or Replying To E-Mail check box lets you ask Outlook to warn you before you do this. It's turned off by default.
Converting inbound HTML mail to plaintext
The existence of HTML mail is a sore point for many mail users, particularly those who come from a UNIX background. On one hand, HTML mail can contain pretty colors, fonts, images, and so forth. On the other hand, it takes more space to store and transfer, and scripts embedded in HTML mail can do a variety of annoying or even destructive things. Users' complaints found a sympathetic ear in the Outlook product group, so Outlook 2002 Service Pack 1 and later versions contain a feature that lets you forcibly convert all HTML mail to plaintext. Of course, this strips out all of the useful formatting, but it also renders impotent any scripts in the message, saving you from potential attacks that exploit Internet Explorer vulnerabilities. If you add a new DWORD value named ReadAsPlain to the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options& #92;Mail key, then give it a value of 1, Outlook converts HTML mail to plaintext, preserving embedded images as attachments. This doesn't affect signed or encrypted messages, but all other messages are updated as they're read. You can use this registry key in system policies or GPOs, as described in Microsoft Knowledge Base article 307594.
Encrypting RPC traffic
RPC traffic between Outlook and Exchange Server is already compressed, and it's mostly unintelligible anyway. However, for added security (particularly for users who are using physically insecure links), you can force Outlook to encrypt RPC packets before they leave your computer. The encryption isn't as strong as the Windows VPN software, but you can use RPC encryption on your LAN or in conjunction with Microsoft ISA's MAPI RPC publishing feature -- both situations where VPNs would just get in the way.
This change needs to be made to each individual client, unfortunately, although it's supported by Outlook 2000 and later versions. To force Outlook to encrypt RPCs to the server, do the following:
- Launch Outlook.
- Choose the Tools | E-Mail Accounts command. Verify that View Or Change Existing E-Mail Accounts is selected, and then click Next.
- Select your Exchange e-mail account, and then click Change.
- When the Exchange Server Settings dialog box opens, click More Settings.
- In the Microsoft Exchange Server dialog box, click the Advanced tab.
- Make sure that the When Using The Network check box is set, and then click OK to return to the E-Mail Accounts wizard.
- Click Next and then click Finish.
Controlling Outlook folder home pages
Outlook 2003 continues Outlook's provision of a useful but scary feature first delivered in Outlook 2000: the ability to use folder home pages so that visiting a folder automatically loads the Web page associated with that folder. This is particularly useful when used with public folders, because it allows you to associate content on an intranet (like a customer relationship management or enterprise resource planning system or other line-of-business application) with a folder. However, any scripts embedded in the page can make calls to the Outlook object model, so they can easily steal users' mail, send mail, or do a variety of other potentially undesirable things. In the normal scheme of things, this is not a huge risk. However, because anyone who can create a public folder and tie a home page to it can potentially use that ability for evil, it's a good idea to watch out.
The Outlook 2003 policy template includes a policy called Disable Folder Home Pages (under Microsoft Office Outlook 2003MiscellaneousFolder home pages for Outlook special folders). When you enable this policy, it automatically blocks folder home page access for all users who are subject to the policy.
Get more "20 Tips on securing Outlook in 20 minutes!" Return to the main page.
About the author: Paul Robichaux is a partner at 3sharp LLC, author of several books on Exchange, Windows, and security, a Microsoft MVP for Exchange Server, and a frequent speaker and presenter at IT industry conferences. He's written software for everyone from the U.S. National Security Agency to scientists flying their experiments aboard the Space Shuttle, fixed helicopters in the desert, and spent way too much time playing video games.