Re: Announcing Public Availability of NoHTML for Outlook 2000/2002

From: Vesselin Bontchev (bontchev@COMPLEX.IS)
Date: 12/17/01


Date:         Mon, 17 Dec 2001 14:06:47 +0000
From: Vesselin Bontchev <bontchev@COMPLEX.IS>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

At 04-12-2001 11:40, Russ wrote:

>NoHTML.dll is an Outlook Add-in designed to convert HTML-based emails into
>harmless messages. It works slightly differently for Outlook 2000 than it
>does for Outlook 2002. Does not work with Outlook 98, or any version of
>Outlook Express.

Russ did not heed my warning while this project was still in a design
phase; hopefully he will at least approuve this message of mine because the
users of this product ought to be warned, otherwise they are running the
risk of being lulled into a false sense of security.

The problem comes from the fact that a COM Add-In for Outlook (which this
product is) is NOT GUARANTEED TO SEE ALL INCOMING E-MAIL MESSAGES. The
company I work for is developing an e-mail scanner and during our tests we
have discovered that under a heavy load (i.e., lots of e-mail messages
arriving almost simultaneously - a typical situation when some mass-mailing
worm gets berserk) a COM Add-In for Outlook can miss as much as 90% of the
traffic! (In one of our experiments it caught only 2 of the 20 messages
that arrived.) Apparently, maybe for speed reasons, when the traffic is
heavy, Microsoft has decided not to bother sending it to the COM Add-Ins first.

Again, let me emphasize, this is NOT a bug in Russ' product - his only
fault is implementing his idea as a COM Add-In for Outlook. The main blame
goes to Microsoft and their idiotic implementation of how COM Add-Ins for
Outlook are handled. No anti-virus program, no matter how well implemented,
is guaranteed to catch all the e-mail traffic, if it is implemented as a
COM Add-In for Outlook. It simply can't be done, folks! Thank you, Microsoft.

There are two other ways in which e-mail can be intercepted at the client's
machine. One of them is something called "MAPI Hooks" and it seems to work
- but, unfortunately, is no longer supported in Outlook XP. Thank you,
Microsoft. The third one is to implement the anti-virus scanner as an
Exchange client extension. As far as we could determine, this seems to work
AND is supported. Of course, judging from past experience, it probably has
some hidden flaws or Microsoft is going to drop support for it in the next
version of Outlook, sigh... :-(

Possible solutions:

1) Don't use Outlook. There are plenty of e-mail clients around that
actually work.

2) Don't rely on an e-mail scanner at the client machine. The client
machine should be protected by an on-access scanner instead, implemented as
a VxD (for Win9x and WinME) or a VDD (for WinNT, Win2K and WinXP).

3) Do the e-mail scanning at the e-mail gateway; not on the client.

Unfortunately, the conclusion from the above is that NoHTML is pretty much
useless and outward dangerous if you start relying on it. The same goes for
any other anti-virus or security product implemented as a COM Add-In for
Outlook. Beware.

Regards,
Vesselin

--
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

============================================================================ Delivery co-sponsored by VeriSign - The Internet Trust Company ============================================================================ Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000 ============================================================================



Relevant Pages

  • RE: Using Fax server with coverpage and Outlook 2003 problem
    ... Technical speaking, when we send fax with Outlook, the cover page file is ... What is your mean of "there is no option for me to use Fax Client."? ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA and missing attachments
    ... The sender was an Exchange Outlook 2003 Client in LAN, ... If you have Trend Microsoft SMTP Gateway installed, ...
    (microsoft.public.windows.server.sbs)
  • RE: How to re-install default available client applications
    ... Thank you for posting to the SBS Newsgroup. ... assign Microsoft Office Outlook 2003 to domain users in the Assign ... Proceed to the Page of Client Applications, ... Run the Microsoft Windows Small Business Server Setup Wizard. ...
    (microsoft.public.windows.server.sbs)
  • RE: How to re-install default available client applications
    ... Thank you for posting to the SBS Newsgroup. ... assign Microsoft Office Outlook 2003 to domain users in the Assign ... Proceed to the Page of Client Applications, ... Run the Microsoft Windows Small Business Server Setup Wizard. ...
    (microsoft.public.windows.server.sbs)
  • RE: Can fax from Outlook but not from Outlook Web Access
    ... send fax as email in OWA. ... In Outlook, on the File menu, point to New, and then click Mail Message. ... software, the Fax client then send the fax to SBS Fax services, and then ... Microsoft Windows Small Business Server 2003 enables you to send a fax as ...
    (microsoft.public.windows.server.sbs)