Exchange Messaging Outlook
Volume 6, Number 7

Greetings! Welcome to Vol. 6, No. 7, of Exchange Messaging Outlook, a biweekly newsletter about Microsoft Exchange and Microsoft Outlook.

The next issue of EMO will appear 4 weeks from today, on August 8, as we take a break from our usual biweekly schedule.

• Outlook View Control Vulnerability
• Managing extra mailboxes in Exchange
• MEC Awards 2001
• MEC registration open
• Office Developer connections conference

• New utilities
• Updated utilities
• Other new resources

Outlook View Control Vulnerability

My vacation last month was interrupted by news of yet another HTML-related vulnerability in Microsoft Outlook, this one tied to the Outlook View Control (OVC). The OVC, which is integrated into Outlook 2002 and can be added to Outlook 2000, is an ActiveX control to display any Outlook folder. The vulnerability makes it possible for allow malicious code to do almost anything with your Outlook data, including deleting items and harvesting e-mail addresses from messages. A patch is expected shortly.

Whether or not you need to worry about this depends in part on your version of Outlook. The security features in Outlook 2002 protect against malicious code exploiting the Outlook View Control in an HTML-format mail message. However, Outlook 2002 users still are vulnerable to the use of the control in a web page. Therefore, for safety's sake, you should disable the ability of ActiveX controls to run in pages in the Internet zone in Microsoft Internet Explorer by following the instructions in the article "OL2002: The Outlook View Control Exposes Unsafe Functionality" at http://support.microsoft.com/support/kb/articles/Q303/8/35.asp.

Outlook 2000 does not include the Outlook View Control as an integrated feature, but many organizations have deployed Team Folders or digital dashboards that include the OVC. If the file Outlctlx.dll is present on your system, then you are vulnerable. For protection, you should adjust the security zone settings for Outlook as described at http://www.slipstick.com/outlook/antivirus.htm#zones, unless you have already installed the Outlook E-mail Security Update or Office 2000 Service Pack 2 (which adjust the zones settings automatically). You should also disable the ability of ActiveX controls to run in pages in the Internet zone by following the instructions in the article "OL2000: The Outlook View Control Exposes Unsafe Functionality" at http://support.microsoft.com/support/kb/articles/Q303/8/33.asp.

Managing extra mailboxes in Exchange

From time to time, I want to highlight solutions developers who really seem to understand what people want from Outlook. One such developer is Victor Ivanidze, whom I met while I was living in Moscow and whose web site at http://victori.hypermart.net/ features COM add-ins for Outlook 2000 and 2002, sample forms to add header fields to Internet messages, and various other tips.

Lately, Victor has focused on one of the stickier issues in Outlook in an Exchange environment -- working with a secondary mailbox. As you probably know, with proper permissions, you can open another mailbox and see all its folders, respond to messages in its Inbox, etc. A typical example is a Support mailbox that help desk staffers access in addition to their own mailboxes.

The hard part comes when you want to ensure that messages sent from the other mailbox have the right From address and are stored in the other mailbox's Sent Items folder. I wrote an article a few years ago (http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=4855) on various ways to meet those goals and concluded that it was easier to abandon the shared group mailbox approach and use a public folder instead.

Victor has breathed new life into the group mailbox approach, however, by offering two COM add-ins that together make it possible to handle a secondary mailbox's messages seamlessly. RightFrom is a utility that automatically fills in the correct From address when you reply to or forward a message in the other mailbox. The second utility, UniSent, ensures that those replies and forwards are stored in the Sent Items folder of the other mailbox, not in your own mailbox. It also puts items that you delete from the group mailbox into the group mailbox's Deleted Items folder.

Remember that, if you're implementing a group mailbox, there are two different ways to set permissions to allow other users to send on behalf of the mailbox. If the Exchange administrator grants Send on Behalf Of permission to the Support mailbox, outgoing messages will show both the actual sender and the Support mailbox. If you want to hide the actual sender's name and address, you need to grant Send As permission to the user's Windows account.

MEC Awards 2001

Once again, Microsoft is seeking the best applications for Exchange and best solutions that leverage Exchange features. You can nominate your company or your favorite tool in any of 10 categories at http://www.microsoft.com/corpevents/mec2001/awards.asp. Winners will be announced at MEC in Orlando in October.

MEC registration open

Registration is now open for MEC 2001 in Orlando, Florida, Sept. 30 - Oct. 4. Exhibits open Sept. 30, with conference sessions beginning Oct. 1. Microsoft is now billing MEC as the "premier Exchange, Windows, and .NET Enterprise Servers event." Register at http://www.microsoft.com/MSCorp/corpevents/mec2001/reg.asp by August 24 to get a discount.

MEC Europe will take place in Nice, France, Nov. 6-9. The web site at http://www.microsoft.com/europe/mec/ is expected to have registration details at the end of June.

MEC Japan will be in Tokyo, Oct. 29-30 (a change from the August date that Microsoft gave earlier). No registration site yet.

Office Developer Connections Conference

I will be speaking on Outlook development at the Office Developer Connections conference Oct. 4-5 in Scottsdale, Arizona -- covering Outlook security, Outlook reports, and what's new for developers in Outlook 2002. One of the sample applications that I'll be showing adds "merge to HTML e-mail" capability to Office XP, without raising the Outlook security prompts.

Register at http://www.msofficeconnections.com by August 15 to get a discount.

New Utilities

BABELFISH FOR OUTLOOK
http://www.dimastr.com/babelfish/
Outlook 2000/2002 COM add-in to translate Outlook messages. Source code for Delphi 6 Enterprise available. Free.

DETACHXP
http://www.mcdev.com/detachxp.htm
Utility for Outlook 2002 only to change the list of blocked file attachments according to the level of risk you're willing to take.

ECONVERT FOR EXCHANGE
http://www.personalcrm.com/econvert_4_Exchange.htm
Convert data from web page form submissions and other message data into Outlook contacts. Processes data in the background.

EMAILER FOR OUTLOOK 2000
http://www.eusys.be/
Bulk mail tool sending individual messages to selected contacts, with file attachments if desired. [No longer available as of July 2003]

GAZNET ANTI-SPAM PROTECTION FILE
http://www.gaznet.au.com/spam/download.htm
Master list of more than 21,000 known spammers that you can use as the junk senders list with Outlook.

OUT2UNIX
http://www.active-com.de/out2unix/
Utility to export Outlook mail to the Unix/Linux MBOX format.

OUTBACK PLUS
http://www.ajsystems.com/outback.html
Backup utility preserves Outlook Personal Folders .pst and .ost files, signatures, stationery, rules, Internet account settings, offline address book, and other settings. Can be set up to remind you to back up or to back up automatically with a Windows Task Scheduler. Works with Outlook 97, 98 and 2000.

PROFILER
http://www.dir-wizards.com/
Web-based tool for allowing users to manage their Exchange 5.5 GAL entries, including those for group mailboxes.

TODI
http://www.aufgang.org/koch/homepage/software/todi.htm
Outlook 2000 COM add-in to extract all attachments and save them as system files, leaving a link in the mail message. Free.

WORKSMART
http://www.ibharworksmart.com/feature-4.htm
Provides a view, similar to the Activities page on a contact, of all messages, documents, tasks, journal entries, appointments, and notes related to an Outlook contact. Also links contacts to company accounts and displays a consolidated view of all account activities.

Updated utilities

MAIL ESSENTIALS FOR EXCHANGE/SMTP
http://www.gfi.com/me/mailessentials.htm
Version 5.0 for Windows NT adds a simpler interface and allows rules for attachments and content checking to apply to groups or individuals.

ONSIGN
http://www.onsign.com/
Version 2.10 of this utility to turn your handwritten signature into a digital signature adds support for Office XP, Pocket PC and 3rd-party digital certificates. [No longer available as of 11/2002]

POCKETKNIFE
http://www.xintercept.com/
Version 1.3 of this Outlook productivity tool for working with contacts adds a dialer with some nice intelligence and fixes a few bugs.

SIMPLESYNC
http://www.cps-systems.com/
Version 3.0 of this tool for synchronizing Active Directory and other address sources features a new administrative program, support for iPlanet, more detailed logging, and other improvements.

Other new resources

MALFORMED RPC REQUEST PATCH
http://www.microsoft.com/technet/security/bulletin/MS01-041.asp
Exchange Server and other Microsoft servers that use remote procedure calls (RPC) are vulnerable to denial of service attacks via a malformed RPC request. Microsoft has issued a security bulletin and patches for Exchange and other servers.

MODIFYING PROPERTIES OF A DIRECTORY OBJECT VIA MAPI INTERFACES
http://members.nbci.com/imibo/exc/dapi/mapiwrite.htm
Delphi 5 sample allowing a user to update Exchange directory information, available in both source and compiled versions.

More Information

• Click here to subscribe to the Exchange Messaging Outlook newsletter. 
• Exchange Messaging Outlook Newsletter back issues

ISSN 1523-7990
Copyright 1996-2006, Slipstick Systems and CDOLive LLC. All rights reserved.

Updated Apr 07 2008

Home | What's New | Exchange Server | Outlook | Utilities | Bookstore
About Slipstick | Feedback | Privacy Policy | Site Map | Archived Pages | Link to Us | Advertise