Coffeehouse Thread

17 posts

Image Blocking in Outlook (+ Express)

Back to Forum: Coffeehouse
  • User profile image
    jamie

    As a designer, the best feature of Outlook Express was its ability to show images in emails - without clicking them as separate atachments

    I am aware there are Pixel GIF virus's, but are their virus's for JPG? - the main file format of choice for designers for proofs to clients?

    According to this article:
    http://pages.prodigy.net/henri_delger/jpgvirus.htm

    "The bottom line: do not worry about JPG viruses, until there is something to be worried about. "

    I guess i am just asking:  GIFs are really only used on webpages, but jpgs are VERY handy.

    Could we not have the ability to view JPGs back - and only "quarantine" GIFs - or is there a real threat somewhere..

    * ive switched to outlook 2003 - and clicking every attatment to see images is a drag ( for me anyway)  Id like JPGs to be exempt..

    Possible?

  • User profile image
    sbc

    It's not really anything to do with viruses. It is the fact that some spammers use images to check if an email address is valid or not. Once they find out it is, you could get much more spam.

    Also, turning off images saves bandwidth.

    IMHO I think all emails should be in plain text format - if you want rich text, attach a word documents. This will save bandwidth, prevent HTML based viruses and allow faster retrieval of email. HTML email is one of the reasons we have so many worms - they can be stopped if you block executable attachments (like EXE, VBS, JS and SCR) and use plain text instead.

  • User profile image
    jamie

    turning off the internet saves bandwidth too lol ... as i said - im a designer - i send images and recieve images..

    The spamming thing - yes - that is GIF

    im just wondering why JPG got the same treatment - when according to previous article link - it says they are safe

    anyone know what jpgs can do?

  • User profile image
    sbc

    Spamming works on JPG's too - infact any embedded content that is located on a remote server.

    What may be a good compromise is if you could leave images off by default, and allow images in emails from people you know (i.e. added to address book, checked allow images checkbox).

  • User profile image
    jamie

    so why can i get HTML emails - webpages with images in them ( marketing companies)

    what differenciates being allowed to view those jpgs, than just sending a JPG in an email and having it displayed? ..like outlook express has always done, and why many designers i know who own office and outlook still use outlook express.

    Sorry SBC, but im sort of looking for hard proof

    Is there a link, an article, that specifically states a vulnerability to sending a LONE jpg attatchment in an email..

    and if so - is there no way for MS to scan the file to determine its an exe or whatever - instead of taking away our functionality

    ( que SP2 rant..)

  • User profile image
    sbc

    It's not the file itself that is the issue. The issue is if the image is embedded in the email (rather than attached), i.e. <img src="http://spammer.com/image.jpg" />. It is the fact that it resides on a remote site and when you download it you tell the spammer that the email they sent was sent to a valid account.

    An attached image is not a problem. Perhaps another way of doing this is to just block images with src beginning with "http://" and only allow relative links (or whatever outlook does to reference attached images.

  • User profile image
    jamie

    PERFECT!

    any others with info on why auto displaying attched images could be malicious?

    ( remember - if its attached - youve already downloaded it - you just havent DISPLAYED it.. so its got nothing to do with bandwidth)

  • User profile image
    ryexley

    I had no idea about all of these other reasons that you guys have discussed so far about this particular feature, but for me personally, the biggest thing that I like about this feature is the fact that a lot of spam includes images that I just don't want to see, period. And the fact that it defaults to NOT showing images in the messages by default, and allowing me to be able to *choose* whether or not I want to see the images is awesome. It's like one, maybe two mouse-clicks for me to see the images in a message if I determine that the source of the message (and therefore the images in the message) is trusted. I like that more than anything.

  • User profile image
    GooberDLX

    Its quite a common practice.. and the fact that they make the images 1x1 px.. its practically not noticeable...

    I too like the fact that it blocks the images out and lets me choose.. it also gives me the option to turn it off completely.

    Jake

  • User profile image
    lars

    ryexley wrote:

    the biggest thing that I like about this feature is the fact that a lot of spam includes images that I just don't want to see, period.



    A welcome feature among parents who don't like the idea of spammers sending naughty pictures to their children!

    ryexley wrote:

    and allowing me to be able to *choose* whether or not I want to see the images is awesome.


    True. Finally someone who Read The Manual before complaining. Wink

    /Lars.

  • User profile image
    jamie

    lars - ive looked every where under Outlook2003 "Options" and see no such option anywhere

    Please tell me - if you do indeed know - where the option of "Auto display images in emails" is

  • User profile image
    GooberDLX

    Im pretty sure when you get an email.. and it blocks out the images.. click on the gray bar at the top of the email, right under the "to/from/subject" pane.. and I think there is an option to automatically download images..

    Im not 100% cause my Outlook 2k3 is in the office

    Jake

  • User profile image
    lars

    In my Outlook 2003 I just have to right click on one of the blocked images and there's the settings. 

    /Lars.

  • User profile image
    jamie

    hmm.. not for me - theres no Options or Properties on the right click




    also - even if there is a way to turn on images - whichi dont think there is - the point is why cannot this be on by default - it is not from a remote http site - it is attached.. why is it blocked and what can a jpg do?  * From sbc post above:
    "An attached image is not a problem. Perhaps another way of doing this is to just block images with src beginning with "http://" and only allow relative links (or whatever outlook does to reference attached images."

  • User profile image
    GooberDLX

    OHHh i thought you were talking about embedded images in the HTML Email..not attached images.. shoot.. I just usually double click them and then Fireworks pops up Smiley

    Jake

  • User profile image
    jamie

    no i was reffering to how Outlook Express shows you the images in the email pane..and outlook does not.

    again - picture recieving an email with 10 sample ads.. in express i could just scroll down and see them - in outlook id have to click each one to view

    so the whole point is:
    if a jpg is a attached and is not http:// URL - why is it blocked and not allowed to display like express does it

    can a jpg actually carry a virus

  • User profile image
    GooberDLX

    Notice..this is only my thinking.. I am a regular at Defcon.. hear me out..

    jamie wrote:

    can a jpg actually carry a virus


    Well.. if a JPG were to carry a virus.. one of three things would happen

    1) The jpg would be embedded with information that would cause a buffer overflow in the program that is utilizing jpg compression/decompression (only problem with that, is that JPG compression has been around for a while, its hard to screw up).. THEN.. after that, the jpg would have to inject executable code (inside of itself) onto the call stack.. (which in .net is not possible).. once that happens then the code would "execute"..

    2) You could create an executable that "acts" like a jpg file, yet is really an executable.. somehow you'd have to cause execution to happen, which is hard to do if your system automatically sends a jpg image to a image processing program.

    3) Like #1, you could exploit jpg decompression and cause an overflow, in just the decompression itself, rather than the host program.. but this falls under the same conditions as #1.

    Either way, you'd have to trick the client into believing that the strangely large file size of the image is "normal".. and somehow hijack the system..

    very unlikely..

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.