Having just lost a day because the Access database someone tried to send me
got blocked by Outlook, I finally came across William Kennedy's article
"Blocked attachments: The Outlook feature you love to hate."

Well I agree with you in one respect, Mr Kennedy. I certainly hate this
feature. It has that sort of "nanny state" feel about it ("nanny state" is a
common derogatory phrase in the UK for when government or officialdom impose
unnecessary restrictions on people, supposedly for their own good).

There are two things that mystify me. Firstly, in what way is an Access
database more dangerous than, say, a Word document, which Outlook does allow
through? Both are capable of carrying malicious software and both are
perfectly safe when received from a trusted source or by a user who knows how
to look after himself.

Secondly, why the intransigence with regard to allowing expert users at
least some leeway in overriding this? I accept, and even approve of, blocking
such attachments by default so that unwary or novice users are protected. I
could even accept not allowing any user to download such attachments
automatically, or even to run them implicitly, thus protecting the self
proclaimed experts from accidentally executing something they shouldn't. But
please allow us the means to explicitly state we wish to save a specific
attachment on our computer if we are confident it comes from a trusted
source. This could be done by means of a warning prompt to check the safety
of individual attachments. Note that I am only advocating "Save" should be
enabled, not "Run", and even then only for users who have explicitly stated
they understand the risks.

In my view, the extra security in not allowing such files through at all,
under any circumstances, is an illusion. As previously mentioned, evil folk
could still send malicious code in Word documents. If someone really wanted
to send a virus in an Access database they can wrap it in a zip file. This
can be save on your disk where, these days, it looks a bit like a folder so
could easily be opened and the contents run, possibly even accidentally. What
extra security is this annoying feature actually buying us?

A while back I wrote my own spam mail filter that removes unwanted items
from my POP3 mailbox before Outlook even gets to look at it. I am seriously
considering enhancing this to download trusted attachments before Outlook has
a chance to throw them away.

Regards
Keith

Outlook throws nothing away but simply blocks access to it. This might
indeed be a bit annoying if you are an advanced user but not all user are
nor do they have to be.

If you want to work around this protection, more advanced users will easily
find the guides on how to edit the registry to unblock these files such as;
http://www.howto-outlook.com/faq/blockedattachments.htm

Even the less advanced users will find methods around such as, zipping it,
renaming it or get one of the many free tools available to unblock it with
some simple clicks such as;
http://www.howto-outlook.com/products/outlooktools.htm

While there may be more elegant ways in how to deal with this kind of
threat, clicking an extra OK button has proven ineffective. This security
feature was first introduced in a time when viruses were spread by mail like
crazy. Since then (which is about 8 or more years ago) the focus has been
shifted more to Spam and Fishing attacks.

Also note that the system has been adopted by many ISPs and other clients
and quite a few ISPs actually do throw away the email message or bounce it
back to the sender when a file holds a certain extension or header. In those
cases, even renaming or zipping the file will not help you.

So love it or hate it, but fact remains that the amount of exploits
spreading via email attachments has been reduced significantly.

--
Robert Sparnaaij [MVP-Outlook]
Coauthor, Configuring Microsoft Outlook 2003
http://www.howto-outlook.com/
Outlook FAQ, HowTo, Downloads, Add-Ins and more

http://www.msoutlook.info/
Real World Questions, Real World Answers

-----

"Keith" <(E-Mail Removed)> wrote in message
news:15E417B4-EDA8-4E08-A9CA-(E-Mail Removed)...
> Having just lost a day because the Access database someone tried to send
> me
> got blocked by Outlook, I finally came across William Kennedy's article
> "Blocked attachments: The Outlook feature you love to hate."
>
> Well I agree with you in one respect, Mr Kennedy. I certainly hate this
> feature. It has that sort of "nanny state" feel about it ("nanny state" is
> a
> common derogatory phrase in the UK for when government or officialdom
> impose
> unnecessary restrictions on people, supposedly for their own good).
>
> There are two things that mystify me. Firstly, in what way is an Access
> database more dangerous than, say, a Word document, which Outlook does
> allow
> through? Both are capable of carrying malicious software and both are
> perfectly safe when received from a trusted source or by a user who knows
> how
> to look after himself.
>
> Secondly, why the intransigence with regard to allowing expert users at
> least some leeway in overriding this? I accept, and even approve of,
> blocking
> such attachments by default so that unwary or novice users are protected.
> I
> could even accept not allowing any user to download such attachments
> automatically, or even to run them implicitly, thus protecting the self
> proclaimed experts from accidentally executing something they shouldn't.
> But
> please allow us the means to explicitly state we wish to save a specific
> attachment on our computer if we are confident it comes from a trusted
> source. This could be done by means of a warning prompt to check the
> safety
> of individual attachments. Note that I am only advocating "Save" should be
> enabled, not "Run", and even then only for users who have explicitly
> stated
> they understand the risks.
>
> In my view, the extra security in not allowing such files through at all,
> under any circumstances, is an illusion. As previously mentioned, evil
> folk
> could still send malicious code in Word documents. If someone really
> wanted
> to send a virus in an Access database they can wrap it in a zip file. This
> can be save on your disk where, these days, it looks a bit like a folder
> so
> could easily be opened and the contents run, possibly even accidentally.
> What
> extra security is this annoying feature actually buying us?
>
> A while back I wrote my own spam mail filter that removes unwanted items
> from my POP3 mailbox before Outlook even gets to look at it. I am
> seriously
> considering enhancing this to download trusted attachments before Outlook
> has
> a chance to throw them away.
>
> Regards
> Keith

or, edit the registry to let them through...

"Keith" wrote:

> Having just lost a day because the Access database someone tried to send me
> got blocked by Outlook, I finally came across William Kennedy's article
> "Blocked attachments: The Outlook feature you love to hate."
>
> Well I agree with you in one respect, Mr Kennedy. I certainly hate this
> feature. It has that sort of "nanny state" feel about it ("nanny state" is a
> common derogatory phrase in the UK for when government or officialdom impose
> unnecessary restrictions on people, supposedly for their own good).
>
> There are two things that mystify me. Firstly, in what way is an Access
> database more dangerous than, say, a Word document, which Outlook does allow
> through? Both are capable of carrying malicious software and both are
> perfectly safe when received from a trusted source or by a user who knows how
> to look after himself.
>
> Secondly, why the intransigence with regard to allowing expert users at
> least some leeway in overriding this? I accept, and even approve of, blocking
> such attachments by default so that unwary or novice users are protected. I
> could even accept not allowing any user to download such attachments
> automatically, or even to run them implicitly, thus protecting the self
> proclaimed experts from accidentally executing something they shouldn't. But
> please allow us the means to explicitly state we wish to save a specific
> attachment on our computer if we are confident it comes from a trusted
> source. This could be done by means of a warning prompt to check the safety
> of individual attachments. Note that I am only advocating "Save" should be
> enabled, not "Run", and even then only for users who have explicitly stated
> they understand the risks.
>
> In my view, the extra security in not allowing such files through at all,
> under any circumstances, is an illusion. As previously mentioned, evil folk
> could still send malicious code in Word documents. If someone really wanted
> to send a virus in an Access database they can wrap it in a zip file. This
> can be save on your disk where, these days, it looks a bit like a folder so
> could easily be opened and the contents run, possibly even accidentally. What
> extra security is this annoying feature actually buying us?
>
> A while back I wrote my own spam mail filter that removes unwanted items
> from my POP3 mailbox before Outlook even gets to look at it. I am seriously
> considering enhancing this to download trusted attachments before Outlook has
> a chance to throw them away.
>
> Regards
> Keith

Keith wrote:

> Having just lost a day because the Access database someone tried to send
> me got blocked by Outlook, I finally came across William Kennedy's
> article "Blocked attachments: The Outlook feature you love to hate."

Oh goody, we get to read your review on someone else's uneducated
viewpoint.

> Well I agree with you in one respect, Mr Kennedy. I certainly hate this
> feature. It has that sort of "nanny state" feel about it ("nanny state"
> is a common derogatory phrase in the UK for when government or
> officialdom impose unnecessary restrictions on people, supposedly for
> their own good).

You are a definite tiny minority. The vast majority of users have been
bitching at Microsoft for their lack of security. So Microsoft adds more
at their behest and then others then bitch about too much security.

> There are two things that mystify me. Firstly, in what way is an Access
> database more dangerous than, say, a Word document, which Outlook does
> allow through?

And why would a Word document be considered hazardous? Have you actually
used Word or Access? Guess not since you haven't a clue that they can
contain macros that will run just like scripts on your host when you open
those documents. Entire applications can be built on the macro
functionality in Word, Excel, and Access.

> Both are capable of carrying malicious software and both are perfectly
> safe when received from a trusted source or by a user who knows how to
> look after himself.

You thought security was added for expert users that are constantly
diligent? Have you ever found an expert user that was constantly diligent?
I'm am speaking about humans here, not machines.

> Secondly, why the intransigence with regard to allowing expert users at
> least some leeway in overriding this? I accept, and even approve of,
> blocking such attachments by default so that unwary or novice users are
> protected. I could even accept not allowing any user to download such
> attachments automatically, or even to run them implicitly, thus
> protecting the self proclaimed experts from accidentally executing
> something they shouldn't. But please allow us the means to explicitly
> state we wish to save a specific attachment on our computer if we are
> confident it comes from a trusted source.

Yes, it must take super intelligence to follow step-by-step instructions
provided in Microsoft's KB articles on how to alter the list of Level 2
filetype blocks. Geesh, with that level of stupidity, none of those same
users could ever manage to use the new television they just bought.

The means is already provided. They're called instructions. They work.
They exist. Anyone can find them by just a little initiative to actually
do a search. Or they could just ask (instead of spewing a soliloquy about
what's wrong in their narrow opinionated oratory). Apparently other noobs
have more initiative than yourself and have managed to find and follow
those KB articles or find an add-on that gives them the configurability
that eludes you.

> This could be done by means of a warning prompt to check the safety of
> individual attachments. Note that I am only advocating "Save" should be
> enabled, not "Run", and even then only for users who have explicitly
> stated they understand the risks.

You are far too used to applications that give you a slew of configuration
settings in their UI. Not all applications provide all their settings in a
UI. Have you ever found a UI tweaker that contained all the settings for
Windows (well, other than registry editors)? Guess you've never used
Firefox or Thunderbird where, for example, a large number of their settings
are buried config or .css files that you have to edit. But wait, those
products - just like Outlook - allow for extensions. Now for what purpose
might those extensions have been made available? Um, perhaps to "extend"
the product. So FF and TB have extensions that let you get at other
settings not available in the UI for the base program. Same for Outlook
which can have macros or add-ons installed into it.

So are you claiming that your search for an Outlook add-on was fruitless in
trying to find one that let you tailor the Level 2 filetypes that Outlook
will block by default?

> In my view, the extra security in not allowing such files through at all,
> under any circumstances, is an illusion. As previously mentioned, evil
> folk could still send malicious code in Word documents. If someone really
> wanted to send a virus in an Access database they can wrap it in a zip
> file.

You are really that new to security? Since when can security completely
lockdown a host without incurring a loss of use of that host by its user or
owner? There is no level of security that can outdo the willingness and
efforts of a user to thwart that security. You cannot find one security
measure that can completely protect your host, nor can you find any that
you cannot undo, especially if you have physical access to the host.

> A while back I wrote my own spam mail filter that removes unwanted items
> from my POP3 mailbox before Outlook even gets to look at it. I am
> seriously considering enhancing this to download trusted attachments
> before Outlook has a chance to throw them away.

So you want to recreate the wheel, huh? You obviously did no research
before composing your rant. That you claim to be capable of writing code
is totally unimpressive considering that you do so in your isolated cave
without any impetus to look outside to see what is already available.