Spamnet add-in to Outlook

[tdog]

Hello,

I and other enterprise users are running Outlook 2003 with SpamNet 3.0 and
we get the "A program is trying to access e-mail addresses..." pop-up. This
occurs even though we have trusted spamnet.dll in our Outlook Security
Template per the reference in the Cloudmark Knowledge Base which points to
the Microsoft ORK article. ActiveSync is not installed on my system and never
has been (brand-new system).

Has anyone else had any luck getting the trust to work for the SpamNet
plug-in? Thanks!

cheers /td

 

[Sue Mosher [MVP-Outlook]]

Sounds like the trust mechanism isn't working, either because the folder is
in the wrong place, the required client registry entry isn't set, etc. In
any case, Outlook 2003 trusts COM add-ins by default. In other words, if
SpamNet is the only reason you fired up that folder, you don't need it.

 

[tdog]

Sue,
Thanks for the response. The Outlook Security Settings folder is in the
Public folder structure in Exchange, the affected clients have the proper
CheckAdminSettings value in the Registry (it was also set up to address the
PDFMOutlook.dll issue which produces similar pop-ups, and it does fix that
issue if you have certain Programmatic Settings approved - trusting the DLL
in Trusted Code does nothing), yet we still have many users getting the
security model pop-ups in OL2003 when SpamNet 3.0 is installed.

I have read in several places that OL2003 allegedly trusts COM add-ins;
however, we are not the only users experiencing the problem (and we don't
have ActiveSync installed, which according to Cloudmark can cause the SpamNet
add-in to trigger the pop-ups).

Could there be an issue with the SpamNet DLL coding such that Outlook does
not recognize it (and thus not trust it) correctly?

Thanks.

 

[Sue Mosher [MVP-Outlook]]

Anything is possible, but given that SpamNet works fine without prompts
under the default trust mechanism built into Outlook 2003, their code
doesn't seem to be the problem.

Are you sure you trusted the correct .dll? If I were you, I'd be discussing
this issue with CloudMark.

My guess about PDFMOutlook.dll is that it is not properly constructed to
take advantage of the trust mechanism.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[tdog]

Sue,

Thanks. I agree that setting up the Outlook Security Template and not
utilizing the default security may cause SpamNet to trigger the pop-ups.

The spamnet.dll file is the correct add-in to trust (I've been working with
Cloudmark on the issue); however, the Template itself seems to periodically
fail and must be re-created (it gives an error about permissions/passwords
sometimes when we modify the template, and this appears to destroy its
functionality). I think it's odd that when changes are made, we are never
prompted for a password as the MS documentation suggests we should be. Do you
know why that may be?

I agree also that the PDFMOutlook.dll file does not seem to be coded to take
advantage of the built-in Outlook 2003 trusts.

The best scenario, then, is probably to use NO Security Template but allow
the default security model to rule to alleviate the SpamNet pop-ups, and then
disable the PDFMOutlook.dll add-in from loading with Outlook (in the
Registry). I'm still curious about why the Security Template is behaving in
the manner it does - any ideas or suggestions on that would be greatly
appreciated.

As always, thanks so much for your help, Sue.

cheers /td

 

[tdog]

....and while we're on the subject, does anyone know the difference between
"accessing address information via Outlook security model" vs. "accessing the
address book via Outlook security model" in the Programmatic Settings tab of
the Outlook Security Template?

In practice, setting the former but not the latter to Automatically Approve
would seem to allow access to recipient fields (thus allowing new messages to
be created) but not the Contacts/addresses per se, thus a mass-mailer virus
like Mailissa would fail to function properly as it could not populate the
new messages it generates with addresses from the Contacts list.

But that is my rudimentary understanding at work also...we're just trying to
get a handle on how open/vulnerable clients would be with such settings
enabled. Thanks.

 

[Sue Mosher [MVP-Outlook]]

If you're modifying the security settings item (you should never be
modifying the template itself), open the item, and then choose Edit | Revise
Contents. If you make a change to the members of the item, be sure to make
some other change in the item - perhaps toggling a setting on and off.
Otherwise, Outlook may not save the change to the member list. To save the
changes to the item, choose File | Post. Any other method of modifying the
item may cause problems.

As for the password issue, if you are running Outlook with a profile that
points to a mailbox other than the mailbox for the Windows account that you
are logged in under, you will be prompted for your network credentials the
first time you create a security settings item during a given Outlook
session, you will be prompted for your network credentials. Use the
credentials for the mailbox whose Outlook profile you are using.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[Sue Mosher [MVP-Outlook]]

I think "address information" may cover reading properties like
Email1Address, Body, etc. while "accessing the address book" may refer to
actual address book reads. The only way to know which is relevant to a
particular application is to run it and test.

New messages can always be created without security prompts. It's reading
addresses/address book information that is blocked, to prevent harvesting of
those addresses.

 

[tdog]

Sue,
Thanks for all the info. I am using an Outlook profile that points to my
mailbox as I am logged in to Windows.

I just went to create a new security item (added members in an Exception
Group, toggled settings on, trusted DLL) and used the File-Post method to
save but still got the error message. Weird.

 

[Sue Mosher [MVP-Outlook]]

What's the exact error message? What permissions does your mailbox user have
on the Outlook Security Settings folder?

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[tdog]

The error is "The access levels on this security setting
cannot be saved, probably because of an invalid
password. This setting is currently set as a default
setting for all users. You should either delete the
setting or save it again, and type the correct
password."

If you then close the form, the changes remain, yet the settings no longer
appear to work.

I am a member of a group who has Owner rights to the OSS folder. Could that
have anything to do with it, i.e. should I be added singly as Owner and not
as a member of a group? Thanks.

 

[Sue Mosher [MVP-Outlook]]

Were you trying to modify the default item in the folder or a settings item
for particular people/groups?

I haven't tried it with group permissions on the folder. Might be worth
seeing if the behavior changes if your individual mailbox has Write access.
(Owner is more than you need.)
--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers