Spammers who send pornographic pictures in the hope of enticing the recipient to signing up to an adult Web site have discovered a way to bypass Outlook 2003's security features, which are designed to stop potentially offensive content being automatically displayed in the preview window.
The latest version of Microsoft's Outlook was built with a relatively sophisticated spam filter, but as the product's first birthday approaches, spammers are finding new ways to ensure that their unsolicited message go undetected.
In order to help fight spam, Microsoft armed Outlook 2003 with a Bayesian filter, which tries to recognise unsolicited messages by examining the words used and, depending on the frequency of certain key words, calculating the probability of that e-mail being spam.
The company also improved on previous versions of Outlook by allowing users to choose if an HTML email should be allowed to access the Internet and download content. This gives the user a chance to prevent the pornography from ever reaching his or her PC.
However, John Cheney, chief executive of email-security firm BlackSpider Technologies, explained that one of the growing trends is for spammers to attach a pornographic image file to their emails and then use HTML code to display the attached image. This means that Outlook doesn't need to access the Internet before displaying the picture.
"Historically, spammers have been able to get the emails through by incorporating a link to the file. This is a change in tactic and we've been seeing a lot more of it recently," Cheney said.
Simon McNally, systems engineer at anti-spam firm Borderware, said the bonus for spammers is that they can now create an image that also displays words or a Web address that would otherwise have been intercepted by the spam filter.
"There are hardly any words in the body of the email because they are in the picture itself. This is very hard to track," said McNally.
But McNally points out that because the spammers now have to send an image file, they use more bandwidth and so the same volume of spam costs more and takes longer.
Another disadvantage for spammers is that they can no longer keep track of how many times their images are being viewed. The ability to track live email addresses is likely to be more of an issue than the bandwidth and time constraints, as the majority of spam is sent from computers that have been hijacked by Trojan horses and viruses.
"The email will be larger because it contains the attachment. But they will find an open relay and send it to as many people as possible," said McNally.
Microsoft could not be reached for comment.
Talkback
What a load of tosh. Outlook 2003 blocks HTML to stop Web Beacons - the bits of HTML code that let spammers track which email addresses are live - NOT to stop pornographic images.
I am such a sucker. I thought the article was actually about comprimised security. This article is such FUD. Embedding images in email has been around for a long time and not just in Outlook. This is just spammers become more desparate and resorting to sending the images in the email. Soon Outlook will have some sort of Bayesian filter for images and then they will claim that Microsoft "fixed the security hole in Outlook". ZDNet - I am so disappointed.
Spammers can test their emails using Outlook 2003.
All they have to fo is keep trying out new filter-defeating tactics using their own copy of Outlook 2003 until the email they send themselves gets through!
If Microsoft updates the Bayesian filter algorithms in an Outlook patch then fine - the spammer is quickly able to go through the same process again until a message gets through.
Have I depressed you yet?
You really need to get your facts right. All HTML capable email clients have the ability to display embedded images in HTML. Embedded images have been around for many years now, and are part of the IETF email standards. So you need to credit the IETF with the “invention” – not the spammers.
Embedded images are inherently safe as they do not require external internet connections in order to render properly. Images that are linked from an email to an external Web site are referred to as “Web Bugs” or “Web Beacons” – and these mechanisms pose both privacy and discovery threats.
I suggest that you retract this silly assertion before Microsoft descends to apply a harsh slap. Their software is doing the right thing (in this case) – and has not been breached as you say.
Most technology journalists seem to think that all legitimate email is generated as plain text, and that HTML emails are generated by spammers. This is simply not true – most person to person email is delivered in HTML format these days, and these legitimate communications often contain branding and other embedded content.
I think our story makes an interesting and valid point about a new tactic used by spammers - and I don't think all embedded images are inherently safe: people lose their jobs because of porn on their hard drives. However, on reflection do think my headline "Outlook's security compromised by spammers" is too broad, so I've changed it to more accurately reflect the content of the story.
Best,
Michael Parsons
News Editor
ZDNet UK
Damn! It wasn't an article about a new Easter Egg.
This article fails to communicate the reason for blocking automatic image loading is primarily one of privacy and not intended to prevent unintended viewing of adult images.
This behavior has been unchanged since the first day that Outlook 2003 was available. Spammers have been keenly aware of this behavior since before the release. So there is no news here.
Thanks for wasting my time. With a catchy headline but nothing to say.
Bayesian filter in Outlook 2003? I think not.
You can see how the filter thing actually works at
http://www.mapilab.com/articles/outlook_spam_filter.html
I can see no sign of bayesian filtering.
Hi,
but this whole story is nothing new to be honest. I am rejecting allready for several month evey email with embedded images with NoSPAMProxy (freeware on simtel).
Hardly I get any complaints of sender and then I tell them to zip their images. I know its a hard way - but I use email really just to exchange text. So no problem for me....
I use Outlook Express 6, and have an excellent way of stopping anything from being shown that shouldn't be: turn the preview pane off, and set Outlook to read all messages in *plain text*. That way, no scripts can be run, as the HTML code and embedded Javascript doesn't get executed.
I know I use OE6, but full Outlook should have the same features - I know the Outlook in Office 97 Pro viewed everything in plain text no matter what (much like Windows Messaging.... I think Outlook 97 was just WM rebadged).
But yeah - turning off the preview pane and setting it to view in plain text will stop anything being executed.