I certainly love to hate Outlook blocking attachments

[Keith]

Having just lost a day because the Access database someone tried to send me
got blocked by Outlook, I finally came across William Kennedy's article
"Blocked attachments: The Outlook feature you love to hate."

Well I agree with you in one respect, Mr Kennedy. I certainly hate this
feature. It has that sort of "nanny state" feel about it ("nanny state" is a
common derogatory phrase in the UK for when government or officialdom impose
unnecessary restrictions on people, supposedly for their own good).

There are two things that mystify me. Firstly, in what way is an Access
database more dangerous than, say, a Word document, which Outlook does allow
through? Both are capable of carrying malicious software and both are
perfectly safe when received from a trusted source or by a user who knows how
to look after himself.

Secondly, why the intransigence with regard to allowing expert users at
least some leeway in overriding this? I accept, and even approve of, blocking
such attachments by default so that unwary or novice users are protected. I
could even accept not allowing any user to download such attachments
automatically, or even to run them implicitly, thus protecting the self
proclaimed experts from accidentally executing something they shouldn't. But
please allow us the means to explicitly state we wish to save a specific
attachment on our computer if we are confident it comes from a trusted
source. This could be done by means of a warning prompt to check the safety
of individual attachments. Note that I am only advocating "Save" should be
enabled, not "Run", and even then only for users who have explicitly stated
they understand the risks.

In my view, the extra security in not allowing such files through at all,
under any circumstances, is an illusion. As previously mentioned, evil folk
could still send malicious code in Word documents. If someone really wanted
to send a virus in an Access database they can wrap it in a zip file. This
can be save on your disk where, these days, it looks a bit like a folder so
could easily be opened and the contents run, possibly even accidentally. What
extra security is this annoying feature actually buying us?

A while back I wrote my own spam mail filter that removes unwanted items
from my POP3 mailbox before Outlook even gets to look at it. I am seriously
considering enhancing this to download trusted attachments before Outlook has
a chance to throw them away.

Regards
Keith

 

[Roady [MVP]]

Outlook throws nothing away but simply blocks access to it. This might
indeed be a bit annoying if you are an advanced user but not all user are
nor do they have to be.

If you want to work around this protection, more advanced users will easily
find the guides on how to edit the registry to unblock these files such as;
http://www.howto-outlook.com/faq/blockedattachments.htm

Even the less advanced users will find methods around such as, zipping it,
renaming it or get one of the many free tools available to unblock it with
some simple clicks such as;
http://www.howto-outlook.com/products/outlooktools.htm

While there may be more elegant ways in how to deal with this kind of
threat, clicking an extra OK button has proven ineffective. This security
feature was first introduced in a time when viruses were spread by mail like
crazy. Since then (which is about 8 or more years ago) the focus has been
shifted more to Spam and Fishing attacks.

Also note that the system has been adopted by many ISPs and other clients
and quite a few ISPs actually do throw away the email message or bounce it
back to the sender when a file holds a certain extension or header. In those
cases, even renaming or zipping the file will not help you.

So love it or hate it, but fact remains that the amount of exploits
spreading via email attachments has been reduced significantly.



-----

 

[dlw]

or, edit the registry to let them through...

 

[VanguardLH]

Having just lost a day because the Access database someone tried to send
me got blocked by Outlook, I finally came across William Kennedy's
article "Blocked attachments: The Outlook feature you love to hate."

Oh goody, we get to read your review on someone else's uneducated
viewpoint.

Well I agree with you in one respect, Mr Kennedy. I certainly hate this
feature. It has that sort of "nanny state" feel about it ("nanny state"
is a common derogatory phrase in the UK for when government or
officialdom impose unnecessary restrictions on people, supposedly for
their own good).

You are a definite tiny minority. The vast majority of users have been
bitching at Microsoft for their lack of security. So Microsoft adds more
at their behest and then others then bitch about too much security.

There are two things that mystify me. Firstly, in what way is an Access
database more dangerous than, say, a Word document, which Outlook does
allow through?

And why would a Word document be considered hazardous? Have you actually
used Word or Access? Guess not since you haven't a clue that they can
contain macros that will run just like scripts on your host when you open
those documents. Entire applications can be built on the macro
functionality in Word, Excel, and Access.

Both are capable of carrying malicious software and both are perfectly
safe when received from a trusted source or by a user who knows how to
look after himself.

You thought security was added for expert users that are constantly
diligent? Have you ever found an expert user that was constantly diligent?
I'm am speaking about humans here, not machines.

Secondly, why the intransigence with regard to allowing expert users at
least some leeway in overriding this? I accept, and even approve of,
blocking such attachments by default so that unwary or novice users are
protected. I could even accept not allowing any user to download such
attachments automatically, or even to run them implicitly, thus
protecting the self proclaimed experts from accidentally executing
something they shouldn't. But please allow us the means to explicitly
state we wish to save a specific attachment on our computer if we are
confident it comes from a trusted source.

Yes, it must take super intelligence to follow step-by-step instructions
provided in Microsoft's KB articles on how to alter the list of Level 2
filetype blocks. Geesh, with that level of stupidity, none of those same
users could ever manage to use the new television they just bought.

The means is already provided. They're called instructions. They work.
They exist. Anyone can find them by just a little initiative to actually
do a search. Or they could just ask (instead of spewing a soliloquy about
what's wrong in their narrow opinionated oratory). Apparently other noobs
have more initiative than yourself and have managed to find and follow
those KB articles or find an add-on that gives them the configurability
that eludes you.

This could be done by means of a warning prompt to check the safety of
individual attachments. Note that I am only advocating "Save" should be
enabled, not "Run", and even then only for users who have explicitly
stated they understand the risks.

You are far too used to applications that give you a slew of configuration
settings in their UI. Not all applications provide all their settings in a
UI. Have you ever found a UI tweaker that contained all the settings for
Windows (well, other than registry editors)? Guess you've never used
Firefox or Thunderbird where, for example, a large number of their settings
are buried config or .css files that you have to edit. But wait, those
products - just like Outlook - allow for extensions. Now for what purpose
might those extensions have been made available? Um, perhaps to "extend"
the product. So FF and TB have extensions that let you get at other
settings not available in the UI for the base program. Same for Outlook
which can have macros or add-ons installed into it.

So are you claiming that your search for an Outlook add-on was fruitless in
trying to find one that let you tailor the Level 2 filetypes that Outlook
will block by default?

In my view, the extra security in not allowing such files through at all,
under any circumstances, is an illusion. As previously mentioned, evil
folk could still send malicious code in Word documents. If someone really
wanted to send a virus in an Access database they can wrap it in a zip
file.

You are really that new to security? Since when can security completely
lockdown a host without incurring a loss of use of that host by its user or
owner? There is no level of security that can outdo the willingness and
efforts of a user to thwart that security. You cannot find one security
measure that can completely protect your host, nor can you find any that
you cannot undo, especially if you have physical access to the host.

A while back I wrote my own spam mail filter that removes unwanted items
from my POP3 mailbox before Outlook even gets to look at it. I am
seriously considering enhancing this to download trusted attachments
before Outlook has a chance to throw them away.

So you want to recreate the wheel, huh? You obviously did no research
before composing your rant. That you claim to be capable of writing code
is totally unimpressive considering that you do so in your isolated cave
without any impetus to look outside to see what is already available.