Configuring the Microsoft Outlook Junk Mail Filter
Outlook's Junk Mail Filter, based on work originally done by Microsoft Research, is a very handy piece of technology. In previous versions of Outlook, Microsoft shipped some junk mail filters that did an acceptable job with the style and volume of spam that was prevalent at the time. The onslaught of spam we face now, however, calls for tougher measures. Outlook's filters are designed to provide automatic, client-side filtering that works in conjunction with the Exchange Information Store (as described in Chapter 8, "SMTP Relaying and Spam Control") and perimeter filters. However, the Outlook filters give good results even when used against IMAP or POP accounts.
Note: The Outlook Junk Mail Filter works for IMAP, POP, Hotmail, HTTP, and Exchange accounts. However, Exchange filtering only works when you use cached Exchange mode or delivery to a personal folder store (PST); the filters do not work with Exchange's online mode, and they don't work with third-party MAPI connectors like those from Bynari or Oracle. That raises an interesting issue, which I'll get to in a minute.
In addition to the built-in junk filter rules, which you cannot view or change, Outlook gives you another mechanism to control how mail is processed. There are three lists stored for each mailbox, either in the local PST file or the Exchange mailbox; when the lists are stored in the Exchange mailbox, they're available to the user whenever he or she logs in to Outlook or Outlook Web Access. The lists will probably sound pretty familiar:
If you add the same sender or domain to the Safe Senders and Blocked Senders list (either accidentally or on purpose), Outlook errs on the side of conservatism and treats the message as safe.
Working with the Junk Mail Filters
Using the Junk Mail Filter is easy: as mail arrives, it's filtered, with varying degrees of aggressiveness, into the Junk Email folder. You can inspect the contents of that folder at any time, deleting messages or marking them as you see fit.
The Junk Email Options dialog box (see Figure 13-14) is accessible from the Junk Email button on the General tab. You use this dialog box primarily to control the level of aggressiveness of the Junk Mail Filter. There are four levels:
Figure 13-14 The Junk Email Options dialog box.
As with most other Outlook 2003 settings, you can use GPOs to deploy and enforce these settings for users; look under User Configuration | Administrative Templates | Microsoft Office Outlook 2003 | Tools | Options | Preferences | Junk Mail in the Outlk11.adm GPO template.
Tweaking the safe and blocked lists
What about adjusting the filtering lists? To add a message sender or recipient address to the Safe Senders, Safe Recipients, or Blocked Senders lists, you have two choices: you can use the tabs in the Junk E- Mail Options dialog box to manage the lists, or you can right-click individual messages and use the Junk Email command on the shortcut menu to add the sender or recipient address or domain to the appropriate list. The tabs give you a greater degree of functionality, because they also include buttons for importing and exporting their respective lists to disk files. This is handy because it provides a way to quickly clone one mailbox's settings to other mailboxes on a small scale (for larger scale cloning, read on).
Creating standardized filter lists for Microsoft Outlook
You can easily create a standardized set of Safe Senders, Safe Recipients, and Blocked Senders lists and deploy them as part of your initial Outlook 2003 deployment. You'll need to create the lists on a test computer, then use the Export To File button in each list's tab to save the files with unique names. Once that's done, you can use the Office Custom Installation Wizard to package the lists for deployment with Outlook. As described in the Office Resource Kit section on deploying Outlook 2003, the Custom Installation Wizard allows you to individually specify files for these lists and whether you want Outlook's setup routine to overwrite existing lists or append the new list to whatever the user's already defined.
Controlling automatic image downloads in Microsoft Outlook
One favorite trick of spammers is the use of beacons or Web bugs—small (usually 1×1) images embedded in HTML email. When the email is opened, most HTML-aware email clients attempt to fetch the embedded image from a server; a savvy spammer can use the Web server's logs (combined with information embedded in the message) to track information about the user who opened the message. It's very difficult to distinguish between legitimate images embedded in mail and those that serve as beacons, so Outlook 2003 helpfully defaults to not fetching any images linked to remote servers in HTML mail. Figure 13-15 shows what an inbound HTML message looks like with these images turned off; users can always restore the images by right- clicking one of the placeholders and selecting the Download Pictures command.
Figure 13-15 Outlook 2003 doesn't display inline images by default.
This behavior is controlled through the Change Automatic Download Settings button, which sharp-eyed readers might have noticed on the Security tab shown earlier in Figure 13-8. When you click this button, you'll see the Automatic Picture Download Settings dialog box shown in Figure 13-16; you can also open this dialog box by right-clicking an image placeholder and choosing the Change Automatic Download Settings command. The options in this dialog box are pretty straightforward:
Figure 13-16 Changing picture download settings.
Converting inbound HTML email to plaintext in Microsoft Outlook
The existence of HTML mail is a sore point for many mail users, particularly those who come from a UNIX background. On one hand, HTML mail can contain pretty colors, fonts, images, and so forth. On the other hand, it takes more space to store and transfer, and scripts embedded in HTML mail can do a variety of annoying or even destructive things. Users' complaints found a sympathetic ear in the Outlook product group, so Outlook 2002 Service Pack 1 and later versions contain a feature that lets you forcibly convert all HTML mail to plaintext. Of course, this strips out all of the useful formatting, but it also renders impotent any scripts in the message, saving you from potential attacks that exploit Internet Explorer vulnerabilities. If you add a new DWORD value named ReadAsPlain to the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail key, then give it a value of 1, Outlook converts HTML mail to plaintext, preserving embedded images as attachments. This doesn't affect signed or encrypted messages, but all other messages are updated as they're read. You can use this registry key in system policies or GPOs, as described in Microsoft Knowledge Base article 307594.
Encrypting RPC traffic in Microsoft Outlook
RPC traffic between Outlook and Exchange Server is already compressed, and it's mostly unintelligible anyway. However, for added security (particularly for users who are using physically insecure links), you can force Outlook to encrypt RPC packets before they leave your computer. The encryption isn't as strong as the Windows VPN software, but you can use RPC encryption on your LAN or in conjunction with Microsoft ISA's MAPI RPC publishing feature—both situations where VPNs would just get in the way.
This change needs to be made to each individual client, unfortunately, although it's supported by Outlook 2000 and later versions. To force Outlook to encrypt RPCs to the server, do the following:
- Launch Outlook.
- Choose the Tools | Email Accounts command. Verify that View Or Change Existing Email Accounts is selected, and then click Next.
- Select your Exchange email account, and then click Change.
- When the Exchange Server Settings dialog box opens, click More Settings.
- In the Microsoft Exchange Server dialog box, click the Advanced tab.
- Make sure that the When Using The Network check box is set, and then click OK to return to the Email Accounts wizard.
- Click Next and then click Finish.
Outlook 2003 continues Outlook's provision of a useful but scary feature first delivered in Outlook 2000: the ability to use folder home pages so that visiting a folder automatically loads the Web page associated with that folder. This is particularly useful when used with public folders, because it allows you to associate content on an intranet (like a customer relationship management or enterprise resource planning system or other line-of-business application) with a folder. However, any scripts embedded in the page can make calls to the Outlook object model, so they can easily steal users' mail, send mail, or do a variety of other potentially undesirable things. In the normal scheme of things, this is not a huge risk. However, because anyone who can create a public folder and tie a home page to it can potentially use that ability for evil, it's a good idea to watch out.
The Outlook 2003 policy template includes a policy called Disable Folder Home Pages (under Microsoft Office Outlook 2003\Miscellaneous\Folder home pages for Outlook special folders). When you enable this policy, it automatically blocks folder home page access for all users who are subject to the policy.
8 tips in 8 minutes: A Microsoft Outlook email security tutorial
Tip 1: An overview of Microsoft Outlook email security features
Tip 2: Customizing the Microsoft Outlook Security Update
Tip 3: Customizing Outlook email security settings for end users
Tip 4: Setting up RPC over HTTP for Microsoft Outlook
Tip 5: Using S/MIME in Microsoft Outlook
Tip 6: Using Information Rights Management in Microsoft Outlook
Tip 7: Reaching into Microsoft Outlook's email security toolbox
Tip 8: Related resources on Microsoft Outlook email security
|This chapter is an excerpt from Secure Messaging with Microsoft Exchange 2003 by Paul Robichaux, copyright 2004, published by Microsoft Press.|
This was first published in May 2007