Outlook Express

Applies To:Windows Server 2003 with SP1
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Plain text mode
Detailed description
The plain text modefeature of Outlook Express provides users with the option to render incoming mail messages in plain text
instead of Hypertext Markup Language(HTML).When Outlook Express is running in plain text mode, therich edit control is
used instead of the MSHTML control. You avoid somesecurity issues that result from the use of MSHTML by using therich edit
control.
Why is this change important?
The use of therich edit control provides an additional barrier to malicious codethat is transmitted using e-mail. Computers
running earlier versions of Windows XP had a vulnerability to malicious code because Outlook Express processes HTML header
scripts in the HTML content.The MSHTML control automatically executes thesescripts.Therich edit control does notexecute
HTML scripts, so this is mitigated. Because plain texte-mail does not require HTML header processing to be displayed properly,
thereis usually littlevisible differencefrom this processing changein standard messageformats. Portions of e-mail messages
that do notappear to render correctly arerelying on HTML rendering and could presenta danger to your system.
What works differently?
Thefollowing Outlook Express features are notavailable when running in plain text mode:
Changing text sizeto a larger or smaller font.
Full text searching through the body of a mail message.
You can configure plain text modein several ways, including:
Reading a message.
In Outlook Express, on the Tools menu,click Options,and then click the Read tab.Select the Read all messages in
plain text check box.
Composing a message.
In Outlook Express, on the Tools menu,click Options,and then click the Send tab. Under Mail Sending Format, select
the Plain Text option.
With a new menu option.
On the View menu,click Message in HTML.
This new menu item switches thecurrent messageview to HTML if it is currently in plain textview, both in the preview
display as well as in thefull message display.
How do I resolve these issues?
If you aresurethat thesource of an e-mail messagecan betrusted and you want to usethefull featureset that is provided
with the MSHTML control to support rich HTML e-mail for reading or composing,you can switch to the HTML mode by using
the View menu option procedureas described abovein “With a new menu option.”
Limit external HTML content downloads
Detailed description
This Outlook Express feature helps users to avoid getting repeated spam mailings by preventing the user from unknowingly
validating his or her e-mail address to spam originators. Businesses that usespam as a marketing techniquetypically include
references to images that reside on their Web servers insidethee-mail message.Some of thesespam e-mail messages contain
single pixel images thatare notvisibleto therecipient of thee-mail so that therecipient will not beawarethat thereis any
content that is malicious.When the user opened an e-mail that contains theimage, previous versions of Outlook Express
automatically contacted the Web server to download and display theimages.When therequest for theimage was madeto the
Web server, it could ascertain thata spam e-mail message was received by an activee-mail account, which validated thee-mail
address in thespam originator’s mailing list. Now, when the Block images and other external content in HTML e-mail
setting is enabled, the default behavior of Outlook Express changes so that it does not contact the Web server to download
external content, which helps prevent theverification of thee-mail address with thespam originator.This download behavior
is configurableand is enabled by default when you install Windows Server 2003 Service Pack 1.
This featurealso helps to minimizea common problem that is experienced by people whosecomputers use dial-up network
connections. Prior to implementing this feature, if users downloaded mail messages and then disconnected their network
connection, when they attempted to view an HTML messages that included pictures or other external Internet content, their
modem would automatically start to dial out to download theexternal content.
Why is this change important?
This featureincreases the privacy that is provided to users of Outlook Express.Their e-mail address is notautomatically
validated by the Web server of spam originators without their knowledge when a spam e-mail messageis opened. Using this
feature may result in thefollowing advantages:
The user receives less spam.
The user is less distracted by thereceipt of spam.
Automaticattempts by a user’s modem to reconnect to theInternetafter receiving HTML e-mail decrease.
What works differently?
Implementing this featurein Outlook Express helps prevent therendering of pictures in HTML e-mail if the pictures must be
retrieved from servers thatarein either theInternet or Restricted Web content zones.This new default behavior results in the
user’s name not being validated by the Web site hosting the pictures, which makes the user’s e-mail nameless useful to spam
senders.This may result in the user getting less spam over time.
To communicatethat these pictures are missing, thereis now an External MessageInformation Bar that is displayed in both the
Outlook Express message window as well as in the preview area.This External MessageInformation Bar appears whenever the
messagecontains references to external Internet content, such as images or scriptand the options areset to render the
messagein HTML.
When Outlook Express blocks content, theactual imageis replaced with thestandard placeholder for the blocked imagein the
text of the mail message. Images arethe only blocked items that providea visual cuethat something is not being displayed.
For sounds, IFrames,and other content, thereis no visual indication in the body of the mail message.When users printan
HTML e-mail that has blocked content, Outlook Express prints thee-mail exactly as itappears on thescreen, with a placeholder
for the blocked images.Theexternal content is not downloaded.
An added benefit of this featureis that it minimizes a common dial-up user problem: undesired automatic dial-up network
connection attempts.When viewing an HTML e-mail message off-line, previous versions of Outlook Express would
automatically dial out to connect to theInternetand retrieveany referenceimages. However, becausealmostall external HTML
references in e-mail messages point to resources on theInternet thatare part of theInternet zone, thecontent is not displayed
by defaultand a dial-up network connection is not requested.
How do I resolve these issues?
To turn off all external content blocking, on the Tools menu, point to Options,and then click Security. Clear the Block
images and other external content in HTML e-mail check box.From that point, no content is blocked, which returns
Outlook Express to the prior behavior of automatically downloading external content.
To explicitly download external content for an e-mail message,click theExternal MessageInformation Bar to download the
external content that was included with the message.
Attachment Manager API integration
Description
Outlook Express now integrates a new set of application programming interfaces (APIs),called the Attachment Manager, to
check e-mail attachments.This allows applications to eliminatecustom codethat performs similar safety checks and instead
rely on this centrally-managed API set.The use of Attachment Manager provides a consistent user experienceacross all
applications that check thesecurity of an attachment.
Why is this change important?
It is important to havea more unified approach for attachment security across all Windows applications.This helps to ensure
that users geta consistentexperience with regard to thesecurity check performed on attachments.
What works differently?
Apart from theconsistent user experience, this feature does not provideany visiblechangeto the user.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Thereareseveral differences in functionality thata developer should beaware of.
When API names are provided, they arethe Attachment Manager API. If the Do not allow attachments to be saved or
opened that could potentially be a virus setting is disabled, Outlook Express calls SetReferer() and passes http://URL as a
parameter.This is doneso that thesubsequent call to CheckPolicy() considers Outlook Express to bein theInternet Web
content zone. Attachment Manager discriminates differently, depending on whether thecaller is in thecontext of theInternet
or Restricted security zones.Thefollowing sections provide overviews of different behaviors that the Attachment Manager API
supports.
Behavior when previewing a message that includes an attachment
Beforethe preview area is rendered, CheckPolicy() is called to determinethestate of the menu options associated with the
attachment icon in the preview area header,and thecorresponding actions as follows:
If CheckPolicy() returns E_Fail (dangerous attachment), S_OK, or S_False (safeattachment), thereis no changeto the
previous functionality of Outlook Express.
Opening theattachment saves thefileas a temporary fileand then calls Execute() to executethefileinstead of the
currently used ShellExecute() call.
If Execute() fails, subsequent user actions are handled by Attachment Manager.
When the Save Attachments dialog box is opened, thelist of attachments contains items thatareenabled in the menu.
Blocked attachments do notappear in the Save Attachments dialog box.When the user selects the destination folder
and clicks Save, Outlook Express saves thefiles to thespecified folder and then calls Save() on each of thesaved files.
In thecase of previewing mail with multipleattachments, CheckPolicy() is called on each of theattachments. Depending on
whether thereturn valueis E_Fail, or S_OK, or S_False, Outlook Express either disables or enables theattachment namein the
menu.
In futureimplementations, Save() could fail if CheckPolicy() does not return S_OK. In this case, Outlook Express will display
theerror message”Thefollowing attachments were not saved becausethey could not beverified as being safe”, followed by a
list of failed files.
Behavior when reading a message that includes an attachment
Beforethe Outlook Express message window is rendered, CheckPolicy() is called for every attachment to determine which
attachments areshown and which are blocked from access to the user.
If CheckPolicy() returns E_Fail (dangerous attachment), S_OK or S_False (safeattachment), Outlook Express behaves
justas it did in the past. Double-clicking theattachments thatare displayed in the Attach area of the message window
follows theexact samesteps as described when executing attachments from the preview area.
When the user clicks Save As, selects the destination folder and file name,and then clicks Save, Outlook Express saves
theattachment in thespecified folder and then calls Save() to sync.
Selecting Print is similar to running theattachment,except that, instead of calling Execute() withoutany parameters,
Outlook Express issues a call to Execute(“print”). All other tasks, such as saving thefileto a temporary fileremain the
sameas when executing theattachment.
If the Do not allow attachments to be saved or opened that could potentially be a virus setting is disabled,
Outlook Express calls SetReferer() and passes http://URL as a parameter.Thesubsequent call to CheckPolicy() then
considers Outlook Express to bein theInternet Web content zone.
Behavior when moving a message that includes an attachment
If the user moves an item to a location outside Outlook Express — for example, dragging a messagecontaining an attachment
to the desktop — Outlook Express performs theseactions:
Generates a temporary file with HDROP.
Saves a temporary file
Calls Save() on thetemporary file
If it is successful, HDROP is madeavailable
If it fails, HDROP is not madeavailableand the drop target is disabled.