Re: Announcing Public Availability of NoHTML for Outlook 2000/2002

From: Vesselin Bontchev (bontchev@COMPLEX.IS)
Date: 12/17/01

Date:         Mon, 17 Dec 2001 14:06:47 +0000
From: Vesselin Bontchev <bontchev@COMPLEX.IS>

At 04-12-2001 11:40, Russ wrote:

>NoHTML.dll is an Outlook Add-in designed to convert HTML-based emails into
>harmless messages. It works slightly differently for Outlook 2000 than it
>does for Outlook 2002. Does not work with Outlook 98, or any version of
>Outlook Express.

Russ did not heed my warning while this project was still in a design
phase; hopefully he will at least approuve this message of mine because the
users of this product ought to be warned, otherwise they are running the
risk of being lulled into a false sense of security.

The problem comes from the fact that a COM Add-In for Outlook (which this
company I work for is developing an e-mail scanner and during our tests we
have discovered that under a heavy load (i.e., lots of e-mail messages
arriving almost simultaneously - a typical situation when some mass-mailing
worm gets berserk) a COM Add-In for Outlook can miss as much as 90% of the
traffic! (In one of our experiments it caught only 2 of the 20 messages
that arrived.) Apparently, maybe for speed reasons, when the traffic is
heavy, Microsoft has decided not to bother sending it to the COM Add-Ins first.

Again, let me emphasize, this is NOT a bug in Russ' product - his only
fault is implementing his idea as a COM Add-In for Outlook. The main blame
goes to Microsoft and their idiotic implementation of how COM Add-Ins for
Outlook are handled. No anti-virus program, no matter how well implemented,
is guaranteed to catch all the e-mail traffic, if it is implemented as a
COM Add-In for Outlook. It simply can't be done, folks! Thank you, Microsoft.

There are two other ways in which e-mail can be intercepted at the client's
machine. One of them is something called "MAPI Hooks" and it seems to work
- but, unfortunately, is no longer supported in Outlook XP. Thank you,
Microsoft. The third one is to implement the anti-virus scanner as an
Exchange client extension. As far as we could determine, this seems to work
AND is supported. Of course, judging from past experience, it probably has
some hidden flaws or Microsoft is going to drop support for it in the next
version of Outlook, sigh... :-(

Possible solutions:

1) Don't use Outlook. There are plenty of e-mail clients around that
actually work.

2) Don't rely on an e-mail scanner at the client machine. The client
machine should be protected by an on-access scanner instead, implemented as
a VxD (for Win9x and WinME) or a VDD (for WinNT, Win2K and WinXP).

3) Do the e-mail scanning at the e-mail gateway; not on the client.

Unfortunately, the conclusion from the above is that NoHTML is pretty much
useless and outward dangerous if you start relying on it. The same goes for
any other anti-virus or security product implemented as a COM Add-In for
Outlook. Beware.


Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland               producers of F-PROT.
e-mail:, tel.: +354-561-7273, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E

============================================================================ Delivery co-sponsored by VeriSign - The Internet Trust Company ============================================================================ Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will learn everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! ============================================================================