I just discovered a damn nasty trick spammers are starting to use to get past Outlook 2003’s ability to block image download for potentially unsafe images.

For those unaware, Outlook 2003 specifically stops HTML email images from being downloaded unless you specifically allow them. There are severl aways to do this: a per message basis; and a safe sender list.

My personal account is on a domain where several users send HTML emails here and there. I got tired of downloading them individually and just marked the domain on my safe senders list. I also have my settings so those on my safe senders list allow image donwloads automatically.

What are spammers doing now? They are forging the from address to appear to come from a random user at MY domain! Easy enough for me to fix since there are only several users (I’ll add them specifically as safe senders and remove the domain as safe,) but let’s say you’re at a company of 50, or 100, or heaven forbid, 50,000! Will you really mark each individual person’s email as safe? NO, you’ll mark the domain as safe.

Given that, if you want to avoid spammer’s from using graphical web bugs, you can either choose to shut down auto download of images for safe domains, not add your own domain to the safe domains list (and have to download them EACH time,) or deal with the fact that you are no longer afforded any protection.

Time for the PMs at Microsoft to take a second look. The functionality was an EXCELLENT idea, but it looks like the bad guys finally found a way around it. Let’s go back to the drawing board please…