We look at the Outlook 2003 SP2 anti-phishing feature to uncover what’s going on, how the feature works and how effective it is.
There’s a lot of talk about Outlook 2003 SP2 and the only new feature in Service Pack 2 – an anti-phishing feature. There’s plenty of talk but little in the way of facts about it. So in this issue we’ll try to uncover what’s going on, how the feature works and how effective it is.
To enable the anti-phishing feature you need Outlook 2003, with Service Pack 2 and the latest junk mail filter update. See our coverage in a previous article.
Once that’s installed start Outlook 2003 and go to Tools | Options | Preferences | Junk E-mail | Options. At the bottom you’ll see a new choice “Don’t turn on links in messages that might connect to unsafe sites.” This choice is separate to the level of protection above that – so even if you choose ‘No automatic filtering’ Microsoft says the link protection will work.
Outlook 2003 SP2 adds a block to some messages in addition to the existing block on links to external images.
Messages with ‘suspicious links’ are rendered in plain text so you can see the real links below the covering text. In the header above the message you’ll see a notice “This message was converted to plain text”, if you want to see the original click on that line and select ‘Display as HTML’.
Or a message can be displayed as HTML but with the links disabled. In this case the notice says ‘Click here to turn on links. For your security, links have been turned off in this message’. Click on the line for an option to ‘Turn on Links’. The original message is retained in the original formatting – just the way it is displayed is changed.
If you click on a link in a disabled message you’ll get a warning to explain why it won’t work.
It seems that all links in a message are blocked even if only one of them is considered suspicious.$$PAGE$$
TYPES OF MESSAGES
In earlier versions of Outlook 2003 it had two types of email – spam and not spam with the former sent to the Junk E-Mail folder. Outlook 2003 SP2 adds a new type of mail with what are deemed ‘suspicious links’. The combination of attributes assigned to an incoming message determines what is done to it and how you can view it.
Most commonly a spam message will also have suspicious links however it is possible to have a non-spam message but with suspicious links.
The main options and actions are:
- Spam with suspicious links is sent to the Junk E-mail folder and displayed as plain text.
- Spam without suspicious links is sent to the Junk E-mail folder
- Not spam but still with suspicious links is left in the Inbox but the links in the message are disabled.
- Not spam nor suspicious is left in the Inbox (or moved according to a rule you have in place).
Your Safe Senders list of email addresses or domains means a message will not be sent to the Junk E-mail folder but, if it contains suspicious links, the message will be displayed in plain text. Microsoft rightly points out that adding your bank or other financial institution to the Safe Senders list is not a good idea since there’s no way to tell the difference between legitimate messages and the fakes.$$PAGE$$
WHAT IS A ‘SUSPICIOUS LINK’?
Microsoft is cagey about what they are defining as a ‘suspicious link’ and while that’s frustrating it is the right thing to do.
As with spam filters, to give details of the filtering mechanism would help the baddies in trying to bypass the filters.
But some sensible guesses can be made. Where the link and the covering text don’t match (eg http://somedomain.org/page.htm“> http://anotherdomain.org/page.htm ) is likely to raise a flag. Links with IP addresses instead of domains are also likely to be considered suspicious.
In technical terms a message is assigned a Phishing Confidence Level (PCL) which is separate to the existing Spam Confidence Level (SCL). The PCL is calculated first and used as a factor in then determining the SCL.$$PAGE$$
Network administrators can control the ability to click on links overall but not on a per-message basis.
The registry subkey is:
The DWORD values are:
1 – Turn off this feature and enable links by default.
0 – Turn on this feature and disable links in suspicious messages by default – this is the recommended setting.
KEEP IN MIND
The link filtering only works on the Inbox and Junk E-mail folder. A message with suspicious links is displayed normally with no plain text rendering or link blocking if moved to another folder – that includes the Deleted Items folder.
There doesn’t seem to be any way to enable the anti-phishing feature in another folder or public folder.
As usual this new feature is an all Microsoft affair and it doesn’t play nice with other products. Because the Outlook defined Junk E-mail folder has the anti-phishing feature if you have another spam filter you have to make sure that program moves spam to the same folder as Microsoft uses. If your third-party spam filter sends suspect messages to another folder then none of the new features will apply.
There is a risk that the anti-phishing feature will give users and network administrators a false sense of security. You can’t assume that all messages that Outlook doesn’t block are, by definition safe. It’s only a matter of time before phishers find a way around the Microsoft measures.
As with any spam filtering there is the risk of ‘false positives’ – legitimate messages that are considered spam or now ‘suspicious’. We’ve already had reports that real messages from eBay and their ‘Watch’ service on My eBay have their links blocked.
- Avoiding the ‘Google’ mail hack
- Outlook isn’t catching ‘CNN.com Daily Top 10’ phishing trap
- Anti-phishing feature for Outlook 2003 in SP2