Software

Five ways to make Outlook Express more secure

Outlook Express is a handy, easy-to-use e-mail client -- it just needs a little help in the security department. Mike Mullins lists five ways you can boost the security of Outlook Express.

Microsoft Outlook Express is a popular and free e-mail client that comes bundled with most versions of Windows client (except for Windows Vista, which replaces Outlook Express with Windows Mail). It's easy to set up, and it's easy to use.

However, it's also a target for a lot of current and future hacks and viruses -- thanks to the fact that it's an e-mail client (one of the preferred methods of virus delivery) and its tight integration with Internet Explorer (the most heavily targeted browser of black hats). But just because it's popular with the bad guys doesn't mean you have to pay for a client to read your e-mail.

You can still use Outlook Express safely: You just need to add a little security and follow a few simple rules. Here are five ways to make Outlook Express more secure.

Prevent applications from sending e-mail

A virus that wants to replicate and share itself with other computers will try to use Outlook Express to get the job done. But it's rather easy to prevent. In Outlook Express, go to Tools | Options, select the Security tab, and enable the Warn Me When Other Applications Try To Send Mail As Me option.

Turn off HTML e-mail

Although HTML e-mail looks cool with all of its pictures and links, it's a dangerous format overall. Web bugs, bogus links, and a host of other nasty problems can do a great deal of damage to your computer. Sometimes just opening an HTML e-mail is enough to launch a malicious surprise. That's why I recommend using text mail instead.

To disable HTML e-mail in Outlook Express, go to Tools | Options, select the Mail Sending Format tab, and select the Text option. To configure Outlook Express to read HTML e-mail as text, which strips away any malicious content, go to Tools | Options, select the Read tab, and select the Read All Messages In Plain Text option.

Give up the Preview Pane

The Preview Pane definitely comes in handy when scanning through e-mails. However, it's actually quite dangerous: The operating system considers previewing an e-mail and opening an e-mail to be the same thing. To get rid of the Preview Pane, go to View | Layout, and deselect the Show Preview Pane option.

Disable JavaScript

The malicious use of JavaScript can pull a lot of information off a computer -- specifically, browsing history and cookies. It can't format your hard drive, but it can help someone steal information without your knowledge.

Because of Outlook Express' integration with Internet Explorer, disabling JavaScript takes a little more effort. Follow these steps:

1. In Outlook Express, go to Tools | Options, and select the Security tab.

2. Enable the Restricted Sites Zone (More Secure) option.

3. Go to Start | Control Panel, and double-click the Internet Options applet.

4. On the Security tab, click the Custom Level button.

5. Under Scripting, select Disable under the Active Scripting heading.

Note: This also disables Visual Basic scripts (VBS).

Block potentially malicious attachments

Some attachments are bad; some are good. But sometimes, it's just better to be safe. To disable potentially malicious attachments, go to Tools | Options, select the Security tab, and select the Do Not Allow Attachments To Be Saved Or Opened That Could Potentially Be A Virus check box under Virus Protection.

If you enable this option, Outlook Express uses the Internet Explorer 6 Unsafe File list and the Confirm Open After Download setting in Folder Options to determine whether a file is safe. It blocks the download of any e-mail attachment with a file type reported as "unsafe."

Note: Outlook Express Service Pack 1 enables this option by default.

Final thoughts

Outlook Express is a handy, easy-to-use e-mail client -- it just needs a little help in the security department. You don't need to dump it because of security integration flaws with Internet Explorer; you just need to add a little security and remember to never open an attachment from someone you don't know.
57 comments
armstrongb
armstrongb

Remove it. In every environment I have ever worked, OE and MSIM are banned. And for good reason. I have no doubt that your tips to "secure" OE make the product more secure, but as the reactions come in we see those who cry out that you are disabling all the "cool" stuff and my bet is that they would turn it all back on after your good faith effort to secure their system. OE is a losing game right out of the chute. I got better things to do with my time. Even opening attachments from people you do know can be dangerous. Good luck!

daward
daward

You can't be serious. You've just disabled everything that makes Outlook Express useful. Links, graphic content, previews. I would seriously like to see your email client in action. In order to prevent viruses, you can't restrict the flow of information. That's like removing your nose because you occasionally get a bad smell.

bboyd
bboyd

You have to change these settings to get a reasonable default security. or You can use open source Thunderbird which has even stronger protection as default. If an email has pictures or html from a untrusted source it will not display them until you allow it to. Have a client that you think is not good at determining risk for an email, it will tell them if its a potential scam or if it thinks its spam. All that improved security is before you use additional security add-ons.

Tearat
Tearat

In a separate reply This is the sort of things people need to know how to do The virus and spam epidemic has gotten totally out of hand Good Blog

Tearat
Tearat

Is change the toolbar buttons There are lots of things that can be added At the top click on View Choose Layout from the drop down menu Click on the Customize Toolbar button You will see on the Left side Available toolbar buttons Select one at a time the buttons you want to add to the OE toolbar then click the add button Don?t worry if you get it wrong you can click the reset button and restore the original buttons The default for Text Options = Show text labels The default for Icon Options = Large Icons Three buttons I like to add are Contacts This button will show and hide your address book contacts on the left hand side of OE Some people like the fact that you can double click a contact to create a new email with the address already in the To Field Folder List This button will hide and show the mail folders on the left hand side of OE It can be nice to hide all the stuff on the left hand side It allows you use the entire width of OEs window to read your mail Very good on small displays Preview This button will hide and show the preview pane I would recommend leaving it off until you delete the spam And only turn it on to read the mail that you trust You can hide it permanently and just double click on the mail you want to read Then use the Previous and next Buttons to step through your emails There is one other button that I find useful The Offline Button but that is one you can try out your self The buttons can be set up different for each group of folders Hotmail, Imap or the Local Folders Hope you find this useful

Mr.Newman
Mr.Newman

What has been said in this article is right but it looks like that you live in house where is no window and door. to go inside of the house you using flue. But having the proper antivurus program and updating it regularly can give you relaxed use of outlook.

badams
badams

disabling scripting in OE and IE makes it almost impossible to visit sites and even visit paypal or a banking organization, too much security hampers online activities as someone else has already posted. HTML and viewing pane are good ideas though.

Mike Mullins
Mike Mullins

First, I appreciate the comments, both for and against. My purpose is always to give you enough information for you to act if choose (hopefuly I hit that mark most of the time), but be warned if you don't. Security is inversely proportional to functionality. If you don't need tight security, then loosen it, but beware of the consequences. Thanks, Mike Mullins Security Solutions Columnist

RickyF
RickyF

If I am worried about protecting a domain or large LAN your advice is fine, maybe, but if I have a small business or home client your advice is just plain WRONG WRONG WRONG! Life is filled with risks. It is OK to minimize them but if we avoid doing what we want because of avoiding acceptable risks we are letting security concerns overrule rationale behavior.

jsloan1223
jsloan1223

When OE first came out with this box checked, "How do I get the attachment?" was the most common phone call I received from my pop3 users. "Block attachments that could potentially be a virus" includes ALL word documents, and a whole host of other formats, regardless of whether they have anything harmful or not. Almost anything could POTENTIALLY be a virus. If you're using OE for business email, get a reliable antivirus program and don't block all the attachments!!

apotheon
apotheon

"[i]Even opening attachments from people you do know can be dangerous. Good luck![/i]" That's one of the two minor quibbles I have with the article itself: 1. It fails to mention that one must even be careful with attachments from people one [b]does[/b] know. 2. It fails to mention that, though OE can be made substantially more secure by applying Mike's advice, there are still other mail clients that are even better for security purposes than OE. I think that could have been indicated without turning off OE users entirely and causing them to ignore the advice. Granted, as you point out, some will ignore good advice [b]anyway[/b], but that's not the fault of mentioning that other applications might be better suited to securing one's online life.

apotheon
apotheon

The advice Mike Mullins gave is good -- and it's advice I've given before, too. Frankly, if my nose was as prone to deadly viruses as OE, I might consider cutting it off. Of course, Mike's not suggesting cutting it off (though I might suggest some alternatives to OE instead). He's just suggesting that you protect it a bit. By default, OE (to run withe the nose metaphor) runs off and sniffs everything that gets within a half-mile radius of you, no matter how dangerous it might look, without even waiting for your opinion. Mike recommends curbing that behavior somewhat, and I agree with his suggestions. Every time your preview pane renders an HTML email, you run the risk of (at minimum) alerting a spammer that yours is a good address. Something as simple as an embedded off-site image can serve that purpose to a spammer. JavaScript, VBScript, and ActiveX controls can do the same thing. HTML emails rendered by the Trident rendering engine at the core of IE have the potential of running cross-site scripting attacks, accessing Web history, and otherwise making life unpleasant for you. You don't have to follow Mike's advice if you don't want to, but if you're going to ignore the most basic and simple security advice from someone who knows more about the subject than you, I have to wonder what your reason is for reading the IT Security Weblog.

nepenthe0
nepenthe0

I agree with [i]daward[/i], you only need to make an application idiot proof if you allow idiots to use it. I have used OE the past 7 years, without incident. I'm getting better at blocking spam with tagged subject line words, so very little gets through. Configuration could be more straightforward, but once mastered, it works seamlessly. Since I'm not interested in business relationships in Nigeria or performance-enhancing drugs, I use the [b]Del[/b] key for its intended purpose. OE is a user-friendly application that has millions of satisfied adherents. I'll take off the gloves when it comes to Vista's UAC and resource hogging, but let's be fair to OE, which does the job it was designed to do, and does it well. Rick/Portland, OR

robo_dev
robo_dev

I'd take Mozilla Thunderbird version 2 over a 'fully hardened' Outlook Express 6 any day of the week. For starters, MT does not use the IE HTML rendering engine, does not act on embedded Java by default, nor can those nasty activeX scripts and controls attack it.

JCitizen
JCitizen

I ended up with a hacked router and about 213 maleware files! But I use Outlook 2003 and this may be off topic. I tend to like getting in fights with hackers though; I like to click on files I know I shouldn't because I got this wild west mentality. And it teaches me a lot about security - keeps my senses sharp about emergency procedures in a security breach. I used to reinstall my operating system a lot so I don't recommend this of course. I guarantee I don't do that at work.

jsloan1223
jsloan1223

I LOVE that quote, Mike. And I know I will find a place to use it!!! :) Jocelyn in ND

dhays
dhays

That's rational not rationale the latter is the reason, the former is the description. I agree, that is too much to worry about. I use OE at home for my ISP mail, used to use it for hotmail, only here at work sometimes. I like OE as I can save the messages locally.

Monty Palmer
Monty Palmer

You can choose to adopt the policies or not, depending on your specific circumstances. Ignore what doesn't work for you, but do so understanding the risks. No reason to be testy, this was just guidance. Thanks.

Why Me Worry?
Why Me Worry?

I've heard from colleagues of mine how new corporate policies were put into place to lock down desktops to prevent viruses and unwanted software from being installed after the company merged with another. Unfortunately, the desktop support techs and sys admins were not immune from such policies and had their machines locked down as well. How are they supposed to perform their jobs if they can't run the required tools and applications for managing the system? Or restated in simpler terms, how do you expect me to tighten this bolt and nut if you have confiscated the wrench?

dcarr@winning.com
dcarr@winning.com

Yup, blocking attachments will virtually block everything!!! Then you have complaints from users/customers/clients that they are not getting attachments that are being sent to them. Once again a descent AV program like AVG will protect against this. Preview Pane as stated in the article as being a problem, IS NOT a Problem. We all know about bad links (phishing) and don't click attachments with extensions like .bat, .com, .exe, .zip, .vbs, .scr etc. But the Preview Pane in itself will not cause any issues. Fortunately text as viewed in the preview pane has NEVER been known to create any problems. Who writes this stuff???? Bad article, bad suggestions, sounds like an uninformed user wrote it.

robo_dev
robo_dev

If OE were an automobile, would you say "well, just don't drive down that road, ever, and the fact that the airbags are actually hefty trash bags filled with packing peanuts should not be a concern" Many PC users I know are not experts. They think the registry is something you sign up for when you have a baby. I mean no disrespect to the author of the article and commend his efforts. What frustrates me is WHY we need to tweak and twiddle with an application such as this to make it secure. If the developers were aware that certain features introduce vulnerabilites, how about shipping the code with those features DISABLED? And if the user really needs to have the feature, maybe an idiot-message that says "WARNING: enabling this feature will allow an unsigned ActiveX control to install a nasty virus and blow away all your data." Back to the automobile analogy, it's like saying "here's your new car....by the way, heres some rebar and a tig welder to strengthen the doors...in a side impact they cave in, so you need to weld on this rebar"

nepenthe0
nepenthe0

Honorable folks can make good suggestions, but other honorable folks may reasonably choose not to follow those suggestions. Your warning about HTML is valid, but OE allows one the option of viewing all incoming mail in plain text mode. I do that. So I have taken what you call [i]the most basic and simple security advice[/i]. Precipitous judgement issues from incomplete facts. I welcome your advice, and I value your knowledge. But please reserve judgement until you have the complete picture presented to you. Appreciatively, Rick/Portland, OR

Tearat
Tearat

The download (Which you forgot by the way) AND install Yep everybody will do that Sure they will Do you believe me? The point of the blog and this discussion is to help people configure OE to make it somewhat safer to use I tried to add some ways to make that easier for the people who use it Stating my personal opinion about other people's choice of OE is unimportant It tends to be counterproductive I was trying to help someone Someone who uses thunderbird does not need my help By the way I do use thunderbird I also test OE Injecting thunderbird into the discussion could be considered to be trolling Why dont you ask Chad what he use's

JCitizen
JCitizen

for people who were to be fired or who were crusing for it because they were purposely ignoring IT security directions. After HIPPA we stopped playing games with recalcitrant employees.

jsloan1223
jsloan1223

actually the preview pane in OE does have a history of allowing junk through. I believe it was originally detected with OE5 (which is also IE5-ish). But it's still ongoing. Check out http://support.microsoft.com/kb/261255 I strongly advise my OE users that they turn off the preview pane. Well, except the ones who can't figure out how to read their messages without it! ;)

Tearat
Tearat

The only thing you can do is deal with the posts one by one There are some very nice reasonable people out there who for some reason will go off the rails every now and then I have done it myself more often than I would like to admit But everyone screws up from time to time The wackos are present on every forum They do not come with a label unfortunately Reasons for their existence can be many things Drugs Mental disorders Tiredness Simple reading comprehension problems Dont think you are immune Drugs can be something as simple as not getting your cup of coffee in time Mental disorders can be the result of being sick with a cold or some other illness Tiredness needs no explanation Comprehension problems can be as simple as the wife telling you she is pregnant For women it can be finding out you are pregnant (Can be very distracting to say the least) Ok that is not so simple Everybody deserves some respect but not total respect We are after all human

apotheon
apotheon

"[i]Query - is there a reason why we cannot utilize language that conveys respect for the opinions of other folks?[/i]" No, there isn't any particular reason. Is there someone in particular you think failed to respect the opinions of others here?

nepenthe0
nepenthe0

No, I misinterpreted the indentation scheme. My vision is a bit blurry at times. I'll pay more attention next time. Query - is there a reason why we cannot utilize language that conveys respect for the opinions of other folks? In a professional forum, it only seems reasonable to assume that [b]all[/b] contributors are peers or future peers. The person you ridicule today might be your employer tomorrow... Rick/Portland, OR

apotheon
apotheon

Did you notice I wasn't responding to you?

OnTheRopes
OnTheRopes

I really wasn't paying too much attention to what's going on between Santee and you and didn't mean to insert myself into the middle of any sort of argument. Although I'm not paying too much attention to TR lately I've noticed several recent posts where a few people try to exercise their supposed command of the written word. To me it just looks like the old saying, if you can't dazzle them with brilliance baffle them with bullshlt. That gets old and downright boring. After awhile it's like written white-noise, I don't even pay attention to it so if there's something going on I just didn't bother trying to see it. I've better things to do with my time.

santeewelding
santeewelding

I get my wish. I live in interesting times, coming to the attention of important people. They are A! and Apotheon. That they are important may not be questioned. I have accepted their legitimacy, their competence, and their stature since signing on to TR in 2006. Their work spoke eloquently not only to me, but has spoken and does speak for itself. My curse now is that they speak to me and of me. They detract and they do it with finality. They are saying, get lost. This happens a lot in posts, one on one, in a variety of ways, some tumultuous. It is water off the back in all cases, save when TR powers that be do the speaking. It would be so now, were it not for stature and for importance. Power speaks. Worse, it is power I acknowledge to be power. Worse still, it is power that takes power to itself. They are in. I am out. They detract in the worst possible way: I am out for never having been in. Cursed.

apotheon
apotheon

Who are you trying to compare to Martin Luther, what makes you think I was being hard on [b]myself[/b], and why can't you ever just say what you mean rather than trying to obfuscate everything in some vain attempt to appear worldly and wise?

$$$$$$$$$$
$$$$$$$$$$

The kinship you presume, santeewelding, among humans is only granted mutually, after establishment over time. Square one is non-assumption of any such familiarity. Among my folk, your approach is unwelcome. [i]Family of mind santeewelding@... - 05/09/08 Mine are notes on a refrigerator door.[/i] You mistake the nature of the forum. This is not a refrigerator door. [i]They work by sake of familiarity, among ones who break bread of intellect. If you are not family, they don't. I mistake you.[/i] You implicitly assume too much, and make too few assumptions explicit, for me and mine to find your notes worthwhile. Please stop wasting our time.

santeewelding
santeewelding

Took some doing to construct a sentence like that.

apotheon
apotheon

Please tell me you aren't trying to defend someone whose discussion tactics basically consist of saying things that are so divorced from collective contextual familiarity that there's no way anyone will understand everything he says just so he can set them up to call them stupid -- as he just did to me.

OnTheRopes
OnTheRopes

I'm fairly certain that Santee's obscure reference is due to a picture I posted at TR over here: http://preview.tinyurl.com/3lt964 The image is easily 'searchable' once you know how. Given what I think you may already know about me or what you could easily discover about my *interests*, without any further input from me, I believe that you could easily work out the hidden message if you were so inclined. As always, feel free to send me peermail or email anytime you want and, of course, feel free to ignore the ramblings of my deranged mind. :)

Tearat
Tearat

I have to say that you are in trouble when BALTHOR starts to make more sense than you But it may be me Don?t remember if madness runs in the family But I think absent-mindedness does Now what was it this discussion is about? Hmm think I need to go to bed

santeewelding
santeewelding

Mine are notes on a refrigerator door. They work by sake of familiarity, among ones who break bread of intellect. If you are not family, they don't. I mistake you.

apotheon
apotheon

. . . just maybe santeewelding thinks that by making cryptic references to obscure context, it makes him sound "intellectual". If that's the case, though, I think he misses the mark a bit when referring to something he himself said elsewhere, in a context with which I may not have any reason to be familiar. Under such circumstances, rather than sounding learned, he just ends up sounding like he lacks some basic communication skills. At least when I make reference to someone's head being inserted into his fourth point of contact, the way I'm using the phrase "fourth point of contact" gives a sort of common culturally relevant sense that I'm talking about a specific part of the anatomy where the sun doesn't shine, whether you've run across the military use of "fourth point of contact" before or not.

$$$$$$$$$$
$$$$$$$$$$

1. The sender has included all pertinent data in the message itself. 2. The sender has included "hyperlinks," known unknowns

$$$$$$$$$$
$$$$$$$$$$

He's still trying to not quite say it.

apotheon
apotheon

You lost me. What are you trying to say?

santeewelding
santeewelding

That would put OTR and his art out of the question.

apotheon
apotheon

In theory, you could easily have "pretty" email without having to worry about foreign code that might do nasty things. The problem is that nobody's really pursuing the kind of approach necessary to get that result with any diligence. On one hand, you have people who pour as many "features" as possible into every piece of software out there, and figure the stupidity of their user base will make security concerns unimportant to widespread adoption of the software, and on the other you have people who don't like a bunch of rouge and eyeliner on their emails anyway. I tend to be in the "I don't like a bunch of rouge and eyeliner on my emails anyway" camp, so you're unlikely to see me writing software that provides safe "rich text" style formatting any time soon. In addition to most rich text stuff introducing security issues as it's currently used, that also tends to interfere with efficiency in an application's interface. It's easier, for instance, to sort stuff by the characters it contains than by font face, size, emphasis, and color -- and the content of an image isn't very searchable.

santeewelding
santeewelding

I understand, thank you, and I press my luck. Once reassembled and collated by means of headers and such, the doing of something meaningful with the data string, whatever process is needed, is defined first by string executables, second and necessarily by the interoperability of OE and other native capacity, or so I understand. Are executables, then, present and unavoidable at birth? Unless someone figures out how to embed digitally subliminal instructions in plain text, security centers on the "foreign" executables you mentioned. No way to get pretty mail without playing expert cat and mouse with elevated executables?

apotheon
apotheon

How incoming packets are handled is defined by the software that handles them. The way OE is designed determines what happens with the data when OE receives it. In the specific case of OE, the application is told by its user (through configuration) how to get the packets in the first place. It may do so, broadly speaking, in one of two ways: 1. When the user clicks a "button" on OE's interface, it queries the mail server, which responds by sending email data to the application. 2. OE periodically, over an interval set by the user (or its default interval), queries the mail server "automatically" -- and, as above, the mail server response by sending email data to the application. In both cases, the data in the received packets is reassembled into an integrated, cohesive form, then saved to disk somewhere that the application can access it. The list of available emails saved to disk is displayed in the application, and when choosing to display an email, the application goes through whatever process is needed to render it as the user wants it rendered (HTML rendering, plain text, et cetera). The problem with the way OE does things is that it shares the data with other applications (uses IE's rendering engine for HTML, for instance), and tends to eagerly seek out ways to execute everything it finds. These are design flaws in the application. The packets delivered via the email protocols used are just inert data until an application gets them and does something meaningful with them. The key for security in this case is to ensure that what the application does with that data is chosen with security in mind -- not executing foreign code, not eagerly contacting third-party servers to download additional content when rendering a page, and so on. Does that answer your question(s)?

Tearat
Tearat

I do need to find the time and energy to look after my own systems better I should be prowling the net looking for better applications all the time But I do feel for people who have less time or experience than me Face to face I try to teach how to make things easier I need to start doing it on the net as well

santeewelding
santeewelding

Clear up for me, if you would, the fundamental protocol involved with incoming packets. Does the instruction set for how OE operates lie effectively with the incoming parcel? Is OE passive until activated and controlled by the parcel to execute the (wish) of the parcel for ill or otherwise? And does the essentially defensive nature of security lie here, as opposed to the other way around, where OE, or the OS, would reveal and orchestrate the intelligence of the parcel without subjugation to it? I apologize for putting interoperability in this naive and anthropomorphic way. Please do your best.

apotheon
apotheon

I use Mutt. With regard to the five points in Mike's article (most of which I've addressed before, but not all together and specifically in reference to OE): 1. I run Mutt on an OS where applications need my help to execute in the first place, so they don't get much opportunity to try to use Mutt to send emails "automatically". Because Mutt isn't a particular favorite of people who have poor security practices, it also tends to be very uncommon as a target of malicious security crackers as a vector for spreading infection. 2. Mutt is incapable of rendering HTML without the addition of third-party software, so there's no danger of rendering malicious HTML emails. 3. There's no such thing as a preview pane in Mutt, so I never have to worry about emails being opened when I don't expect it. 4. JavaScript and VBScript do not execute in Mutt. 5. Mutt treats all attachments as plain text by default. When I use a third-party application to view images, I use an application that isn't capable of doing anything but displaying an image, et cetera. As such, malicious attachments aren't really much of an issue for me. Outlook Express is a great tool for getting your system infected and used for purposes you didn't intend, really. Mike Mullins' article covers some ways to mitigate that risk. All you can really do is mitigate the risk, though, because OE is designed without a very secure operation model in mind. Thunderbird might be marginally better in the final analysis than OE, because it doesn't integrate with IE, because it isn't quite as eager to interoperate with other applications, and because there are some few security-enhancing plug-ins available for it that are not available for OE. Thunderbird's general design is not exactly security focused either, though, and there is a distinct upper limit to how secure each of them can be. For those who are willing to make the switch, I'd recommend Thunderbird over OE, but not everyone is willing (or competent) to make the switch. For such users, it's a good thing Mike has explained some of the measures one can take to mitigate some of OE's most egregious security problems. Regarding what happens when you put lipstick on a pig -- the same applies to both OE and Thunderbird. They're just different breeds of pig, really.