Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > E-Mail Security
Rafter
Feb 4 2005, 12:59 PM
Hi,

The first thing I want to say to people reading this thread is:
This article is NOT a way to code a virus which will bypass the security of Outlook (if we can consider there is some... tongue.gif)

The purpose of this is to help people who have one day faced the problem of writing a macro in a coporate environment which has to send a mail to a list of contacts !!!

Since the SP2 of Outlook 2000 and every further versions of Outlook if you program such a thing in VBA code, it will result in the following prompts appearing while trying to send the message :

user posted image

user posted image

Isnt't that annoying ??? The whole purpose of automating the send-out is lost because you now have to stay in front of the PC and wait 5 seconds between each message to click "Yes, I'm sure I want to let an external component send a message...." !!!

Let's now talk about the solutions biggrin.gif biggrin.gif

1. If you google a bit (doesn't need much time tongue.gif) you will surely find this program : Express ClickYes

How does it work ?? It is a simple program which is running in background of windows. Attention : it is not installing itself as aservice... it is just adding itself to the startup of windows !!

Then each time the prompts shown above are poping, it automatically clicks on Yes. the big problem with that, is again security, because it doesn't care who is asking to send the messages... it just says "Yes" everytime tongue.gif

Positive: It's a freeware, easy to use and install.
Negative: It always says Yes, and doesn't do the difference between a virus asking the authorization, or a trusted vba macro/code.


2. Another solution to that is to use an additional component which is called Outlook Redemption.
It has to be added to your VBA or VB project and then you can use your code without worrying about these security prompts anymore !!!

There are other interesting features, but I won't discuss it there wink.gif

Positive: It does not affect the security of outlook. The component just bypasses it when needed. Freeware
Negative: It might be used for non-trusted purpose, but so far didn't heard of it. You need to have access to the code and have the know-how to add the component.


3. Advanced Security for Outlook is a freeware that will ask you when you want to give access to a certain component or not. It works exactly the same as software firewalls when they ask you : "Are you sure to let the following program access the Internet... ?".

Below is an example of prompt you will get when something tries to automatically use the send functions of Outlook (you don't get it when you want to manually send a mail tongue.gif) :
user posted image

Positive: It triggers directly the calls to Outlook, so you are able to check the source asking for access. Plus you can have a different policy for each component. User-friendly. Freeware.
Negative: Might be source of problem for standard users in a corporate environemnt.


4. The last solution is something which I just heard about so I can't tell you a lot about it. It is possible through the Exchange Server to disable the security option of Outlook for specific users.

More info : http://support.microsoft.com/kb/290499/en-us

Positive: Supported by Microsoft.
Negative: You need to have an Exchange environment. Granularity ?


Here it is ! smile.gif
Hope it will help some of you guys wink.gif
belgther
Feb 5 2005, 03:46 PM
well, what about reversing outlook and disabling security dialogs?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.