Microsoft goes antiphishing
By Woody LeonhardNo doubt you’ve read about Microsoft’s new Outlook antiphishing software, built into the recent Office 2003 Service Pack 2. Some of the media coverage I’ve seen sounds like it was copied, verbatim, from the company’s press releases.
Suffice it to say that the ‘Softies haven’t solved the phishing problem. Haven’t even put a tiny dent in it. The Outlook 2003 anti-phishing feature, as it works today, doesn’t do much at all. But the foundation has been laid for a capability that could, some day, save your butt. Or at least your identity.
To see what Microsoft’s doing, and where we’re headed, we must first look closely at Outlook 2003′s junk e-mail filter.
How Outlook takes out the trash
When Outlook 2003 receives a new message, it scans the message and assigns it a number called the Spam Confidence Level (SCL). Outlook calculates the SCL by looking up “bad” and “good” words in Outlook’s dictionary, using a method called Bayesian analysis, as many antispam products do. But a lot of other factors besides the words themselves come into play.
For example, formatting alone (such as the formatting in HTML e-mail messages) can affect the SCL. So can the time of day that the message was sent, and much more.
Outlook uses the SCL to determine whether an incoming message goes into your Inbox or is banished to the folder called Junk E-Mail. If a message’s SCL goes over a certain number, the message gets shunted aside as junk.
On occasion, the filter messes up big-time. I don’t know about you, but even the last issue of the Windows Secrets Newsletter got bounced into my Outlook 2003 junk folder. Nobody knows how or why Outlook 2003 tags perfectly legitimate messages as junk. In the case of the last newsletter, it may be because our writers repeatedly use certain words (“virus,” “free”) that are frequently associated with junk. Microsoft doesn’t give out the details, for competitive reasons.
Self-serving tip: If you’re using Outlook 2003, take a moment right now to right-click on this message in the message list, then click Junk E-Mail and then Add Sender to Safe Senders List. That’ll keep Outlook’s mitts off your newsletters.
In the past month, I’ve discovered a handful of other nonjunk messages in my Junk folder — including some important stuff that I really needed to see. The bottom line strikes me as biblical: those who live by the sword die by the sword. Outlook 2003′s junk filter is a long, long way from perfect. The scanner that assigns SCLs is far from perfect. And all this forms the foundation for Microsoft’s new anti-phishing feature.
How antiphishing works — really
In order to get the anti-phishing feature to work, you have to download and install Office 2003 Service Pack 2 (see my diatribe in the paid version of the last issue of Windows Secrets Newsletter), and you have to download and install one of the recent Outlook 2003 Junk E-Mail Filter updates.
Once the pieces are installed, Outlook 2003 changes in three important ways:
1. The scanner tacks a new number on each message. As incoming messages come down the pike, the junk e-mail filter examines each message and assigns each message a new number. This is its Phishing Confidence Level (PCL), presumably calculated by analyzing hyperlinks within the message. (Microsoft isn’t talking about any of the details, natch.)
The junk e-mail filter then scans for all of the usual spam confidence level stuff — looking up “good” and “bad” words and the like — and takes into account the PCL when coming up with an SCL. The message gets branded with its PCL value, as well as its SCL. This new, improved, PCL-sensitive SCL determines whether a message ends up in your Inbox, or in your junk folder.
2. The behavior of messages in the junk folder changes. When you look at a formatted (HTML) message in your junk folder, Outlook takes away all the formatting in the message. This shows you only the text that sits behind the message’s pretty face. So, for example, if you have a message in your junk folder that includes a picture, Outlook won’t show you the picture. Instead, it shows you the link that pulls the picture in from the Internet. If you have a message that includes a hot link with the text, “Click here to go to Wells Fargo,” you’ll see that text, as well as the full-text link that sits underneath the text. This is the page on the Web you would actually go to if you clicked the link.
In addition, all of the links in messages in your junk folder are disabled. You can click until you’re blue in the face, but Outlook won’t let you “click through.” When Outlook takes control and refuses to show you the message as it was formatted, a bar appears at the top of the message saying, “This message was converted to plain text.” Click the bar and you can restore the message to its original HTML formatted glory — but the links still won’t work.
3. Some other messages can have their links turned off, too. Messages with a high PCL value (again, Microsoft isn’t giving any calculation details) that weren’t sent to your junk folder also have their links disabled. A bar appears at the top of any message mangled thusly saying, “Click here to turn on links. To help protect your security, links are turned off in this message.”
If you click on a link in a PCL-censored message, Outlook presents you with a message telling you how to turn links back on again, but it doesn’t “click through” to the intended destination.
Microsoft explains how Outlook 2003′s new phishing feature works and how to download it in an assistance document.
Note: Part 2 of Woody’s special report, which includes ways you can configure Microsoft’s antiphishing technology, is included in the paid version of this week’s newsletter — see below.
Woody Leonhard‘s latest book is Windows XP Hacks & Mods For Dummies, published by Wiley.
By Brian Livingston
By Chris Mosby
By Susan Bradley
By Ryan Russell