Outlook Express Security Hole

Outlook Express has a security hole which allows those who send you SPAM emails to confirm the existence of your email address if you open the email. You don't need to reply to the email, just opening it is enough to tell them that your address exists so that they can send you even more SPAM. The same security hole exists with regard to newsletters that you subscribe to allowing the email sender to track both when you read their email and how many times you go back to it at a later date.

How can they do this? Well they do this using an email in HTML format. Instead of embedding the required images into the email itself so as to make the email complete and allow you to view it offline in its entirety, they link to the images from their own web site. This means that every time you view their email while online the images are downloaded from their site. The system logs on their web site then record information about the download that they can use to determine which recipients have read their email and when.

You can't even see for sure when they are doing this because these web bugs (as they are called) usually use a single pixel transparent image so that you can't even see that it is there.

To check if your emails could contain web bugs, enter your email address in the form below and I will send you an email that contains a couple of linked images. In this particular instance the images don't actually execute any code but the appearance of these images indicates that you are exposed to the possibility of images that are linked in such a way as to execute code.

Some people have suggested that providing links to images rather than embedding the images in the email itself makes the email smaller and therefore faster to download. This is only true if you never read the email. The time taken to connect to the appropriate server and download the images when you read the email will be longer than the extra time taken in downloading the email with embedded images in the first place. If you then read the email again at a later date after the images are cleared from your cache then they will have to be downloaded again (assuming that the web site owner hasn't deleted them in the meantime).

It is considerate of the senders of SPAM emails to link to their images instead of embedding them because provided that you identify and delete the SPAM without opening it you save the time taken to download the images. Of course it would be more considerate of them if they didn't send you the SPAM in the first place as then you would save the time and space that these unwanted emails take up in their entirety.

External linking also means that you can't download your emails and then go offline before reading them and still see the images. Those of you who pay by the amount of time that you are connected want to quickly download your emails and then disconnect before reading them. You then miss out on any linked images that you did want to see. In fact external linking of images provides no benefit whatever to the email recipient and only benefits those senders who want to spy on the recipients to see who reads their email and when. It is for this reason that I identify this as a security hole. In effect the senders of these emails are using Outlook Express as spyware.

I don't mean to imply that everyone who sends you emails with images linked instead of embedded is trying to spy on you. Many senders probably don't know there is an alternative or just haven't realized the problems associated with linking instead of embedding. Nevertheless, allowing your email program to remote load images into an HTML email potentially allows for the sender of the email to spy on you whether they intend to or not. It is this potential that we need to block whether individual senders utilize the security hole doesn't matter because some senders are certain too eventually. Unfortunately (unlike other email programs) Outlook Express does not have an option to block remote loading of images while still allowing embedded images to be displayed.

After thoroughly investigating the possible options I have come up with some possible ways that we can plug this security hole for ourselves. Each of these ways has advantages and disadvantages so which you choose will depend on how important the relative features that are lost with each alternative are to you.

I would have thought that a simple option would be to turn off images completely. Unfortunately, Microsoft decided not to provide an option to do even this and I couldn't find an addon to do it either. Microsoft has now added this option for Windows XP SP2 users.

Another relatively simple option would be to turn off support for HTML is Outlook Express. Microsoft didn't provide a way to do this either but there is an addon that can handle this. You need to download and install the NOHTML Outlook Express Addon (this is shareware with a 30 day trial period). This addon will convert the HTML content of emails into plain text (and embedded images into attachments) allowing you to access the text content of emails without the images. Internet Explorer is unaffected if you use this option but as well as losing the images you also lose any other formatting within the email including any web page links. You will probably find that many of the emails that you receive become unreadable.

Another option is available if you don't use Internet Explorer as your default browser. In this instance what you can do is to make use of the Work Offline option in the File menu. You go online to run Send/Receive and immediately after you have received all of your emails you go offline (just with Outlook Express, you can stay online with your browser provided that it isn't Internet Explorer which unfortunately shares the offline setting with Outlook Express). While offline you can view your emails safe in the knowledge that they are only displaying embedded images. When asked if you want to go online to download linked images just tell Outlook Express to stay offline. Provided that you use a browser other than Internet Explorer as your default you should still be able to open links within the email without having to go online with Outlook Express. All you need to do is make sure you close all of your emails before going back online to Send/Receive emails again. Of course with this method you get a query of whether you want to go online for every single image that is linked and some emails can contain quite a few.

The final option is to abandon Outlook Express as your email program and use a different email program instead. If you choose the right email program then you will be able to have HTML emails without remote linked images and can still use Internet Explorer as your browser without it being affected by your email settings. You ought to be able to transfer your address book and mail settings without any problems and some alternate email programs (eg. Mozilla or Netscape) can even transfer all of your existing emails to the new program as well.

 

This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow
Donate