The Microsoft Attack on Email

A Rant on Outlook and Outlook Express

I am refraining from writing this as a scream only because that would make it unreadable. I feel that scream in every word.

Microsoft's Outlook and Outlook Express mailers are destroying Internet email. By their crappy design and incompetent coding they make email easier to abuse and harder to use safely and effectively. As a result of Microsoft's insidious and unethical marketing tactics, these pieces of repulsive crapware have managed to become the norm for many users and that is a threat to the survival of email.

Standards? What Standards?

The Internet works based on open standards. There can be dozens of different vendors selling mail clients and mail servers because there are clearly defined standards for how mail works. The formal standards for mail transport and formatting are RFC821 and RFC822, which have been updated and clarified to document actual modern practice by RFC2821 and RFC2822 after about 20 years of use. There's not a lot of major difference between RC822 and RFC2822, and Microsoft gets an area which is carefully specified in both wrong. This is the issue of comments inside email addresses. Here's an address with a comment in it: bill-olrant(Bill Cole - Outlook Rant) If you are using a Microsoft mailer, try using that address to mail me and see what happens. If you are using a Microsoft mailer, it will not really work. It may even cause Outlook to lock up if you try to send the mail. If you use a standards-compliant mailer, you will have no trouble sending the message. The part in parentheses is a comment: a feature of standard Internet email addressing which is rarely used in that particular way, but one which is clearly and explicitly documented in both the formal standard (RFC822) and in its update (RFC2822.) Microsoft ignores that.

What actually set me off to put this rant all down on a web page was a simple problem that acted as the last straw. I have a web page discussing anti-spam blacklists. It has a contact address in it as a mailto link. To thwart spammers harvesting addresses, I used a perfectly standard but rather uncommon format for the mail address, a form that web-harvesting spammers and their badly written spamware either do not understand as a valid address or fail to normalize to anything that results in mail actually being offered anywhere. It works for keeping the mailto link functional for everyone using a standards-compliant mailer, but it keeps the spam down and breaks for 2 sorts of users, as far as I can tell: spammers and users of Microsoft's garbageware mailers. I will not accommodate this incapacity, and I will not apologize for using a standard that has been in existence since before Microsoft acknowledged the existence of the Internet. If you cannot send me mail at the links on this website, it is because you are using broken software, and I will not do anything to work around that brokenness. If you read through the RFC's and poke at a Microsoft mailer to see how it acts, there are a variety of areas where you can find such dropping of features by Microsoft, for reasons that are hard to fathom. My guess is that rather than building the Internet email side of their mailers by examining the standards, the fine minds at Microsoft looked at what they could see of other Internet email clients and mimicked it. Cargo-cult software design. Or worse...

The Busby Berkeley School of Software Design

Anyone over a certain age will probably recognize the phrase "Hey kids, let's put on a show!!! We can use my uncle's barn!" as close to something Mickey Rooney said in some movie where he may or may not have been playing Andy Hardy but did need an excuse to do some singing and dancing, probably with Judy Garland. And amazingly, it seems that putting on a show is something that took him and all his friends little more than enthusiasm and a barn. It makes a nice sweet movie. In the real world, any complex endeavor is aided by learning from those who have done the same thing before you and by paying attention to the details.

Microsoft seems to have come up with Outlook and Outlook Express in the same way that Mickey Rooney's character produced a stage show. Rather than looking at the formal standards for Internet email and the many existing mailers and how they behaved and more importantly how they DID NOT behave, it seems that MS came up with a concept of a really cool mail program that would do everything for everyone as simply as possible and generate the least mystification and require the least thought by users to do anything mail might be asked to do. Microsoft succeeded. They created mail programs that can be run by even the most easily mystified and unthinking users, which will do things that no one before considered it reasonable or safe for any mailer to do. This is not a good thing. In the past, mailers handled mail. Some mailers understood de facto standards like uucode and formal standards like HTML and MIME to the extent that they could split off the attachments included in mail in a reasonable way or lay out the text in some fashion suited to its marked-up structure. Microsoft seems to have never considered why most of their predecessors in mailer development never went further. There were very good reasons.

The Hoax Made Real

In the mid-90's, a hoax email was circulated claiming that there was a terrible new 'virus' carried in email that would infect any machine on which it was opened, without the user doing anything more than reading the mail. The hoax mail helpfully warned of this mythical uber-virus being sent in mail with the subject "Good Times." The hoax mail of course was usually sent with the subject "Good Times." For all the self-referential truth-in-falsehood elegance of this hoax that was not a hoax warning of itself in the third person by describing an impossibility that it in fact made true, this hoax hit enough people who did not get the joke that a lot of more clueful people had to explain the whole issue. The explanation essentially goes like this:

Viruses can't spread by email, because email is data, not code. You can pass code around in email, but no mail program ever would execute code received in email without active involvement of the user, because doing so would be an incredibly dumb thing to do. Anyone can email anything to anyone else so email programs that executed code received in email would generate a flood of attacks and practical jokes flying around to the point where it would kill email, so no sane software developer makes such a thing possible.

This explanation failed to account for the existence of Microsoft.

Netscape makes a bad role model

Unlike virtually every other mailer in existence, Microsoft's mailers were designed to automatically execute code received in email without even consulting the user. This is not some accident of coding that opened a 'hole' for malicious code to squeeze through, it is a matter of intentional design. An intentional design that ignored years of Internet history preceeding Microsoft's entry, scores of existing mailers, and even the current affair of a mental 'virus' which required explanation in terms of what no developer of email software would ever be reckless enough to do. The one bad example MS had leading them to this was Netscape. Netscape, a company which exemplified the Busby Berkeley world-view in all areas, had originally written their Communicator mail module so that it used the full HTML rendering facilities of their browser module, including execution of JavaScript code. Netscape was widely criticized for this, and was swiftly convinced to switch the default settings for Communicator to not run JavaScript or any other embedded code from email. Microsoft ignored the trailing part of that story, and simply borrowed the idea of web browser-mailer integration.

The Treehouse Risk

Why don't people build dwellings in trees? That question comes to mind when watching Peter Jackson's compelling portrayal of Lothlorien in The Fellowship of the Ring, but anyone who thinks about it for long understands why not: trees grow. Trees grow unevenly and unpredictably. The subtext to Lothlorien is that the Elves can control and direct that growth.

By building Outlook and Outlook Express to use the then-immature Internet Explorer HTML rendering engine, Microsoft was in effect putting a treehouse in a young scrub pine. They should have known that this was risky and would continue to be risky and to generate new risks every time IE was pushed forward in some unanticipated direction. Beyond that, the conceptual design was bad: incoming mail is simply handed to the HTML handling routines without consideration that mail, unlike web content, can arrive totally unbidden from totally unknown sources. All the lax security and sloppy programming that has plagued Microsoft's web browser since its inception has therefore also generated problems for the mailers, because the mailers use the same crappy code.

Everything is part of the OS, really

Building mailers that way is part of a larger Microsoft design decision based in part not on wise software design principles but on legal strategy. Since the mid-90's, Microsoft has had special legal scrutiny of their behavior regarding application software, particularly Internet-related application software, and their mailers have been part of this.

Rather than build big self-contained applications that can be identified as "Outlook" or "Internet Explorer" in an easy way, Microsoft has built a lot of new functionality into shared libraries with no direct user interface which are distributed as part of Windows. These libraries (for things like mail functionality and HTML handling) are then used by fairly small, fairly dumb applications. This is not all bad. It means that in theory there is a lot of operating system functionality present which any application developer can simply wire together to make their own apps to compete with Microsoft's own. That would be true if Microsoft played completely fairly with documenting the interfaces to that functionality, but there have been accusations leveled at them for years that they have done no such thing, and that in fact their own application designers have had input into system-level functions and have had better documentation sooner for those functions than any external developers. I am not capable of discerning the truth of those accusations. What I do know is that the result of this is that much of the configuration data and even application data that would be isolated to the user-level mail application in other platforms is, for a Windows machine using Microsoft's mail tools, available to any running program through system calls that require no user interaction. Various worms have used this quirk to send mail out which looks exactly like mail which the user of the infected machine might send, even though that user never had any idea the mail was being sent. Worms have been seen to access user mailboxes, preferences, and caches. They can even connect to and log into mail and news servers using stored preferences and passwords.

Note that a lot of this is not rocket science: even the usually low-skill people who write malware could probably code up the sending of mail if it were not present in system libraries. What Microsoft's design offers them that they cannot get any other way is access to a self-consistent working mailer/newsreader configuration and an address book that hugely increases the chances of malware being able to deliver mail, to get it seen by the target and to have it trusted.

Don't worry, Uncle Bill will handle all that technical stuff for you

Computers are not human. The fundamental logical model of modern computer systems is an evolutionary result of decades of computer hardware and software design. This evolution has brought us to a situation where computer systems can almost mimic and model many of the ways humans think. Almost. One area where the rough edges cause big trouble when mis-handled is in the semantics of opening an object. Windows (like DOS before it) has always handled that semantic problem weakly and rather carelessly, and in building upon the quicksand foundation of filetyping by name extension, Microsoft has added layers of protection to keep users from having to think about the sort of 'opening' they are doing and what precisely it means: opening a file with a particular program, treating it as a particular data type, opening a directory for browsing, opening an application program to do whatever it does, etc. Windows, taking after a long line of abstraction and blurring of the 'open' concept in computing, has gone a step too far and uses multiple mechanisms for determining what to do. The result is that what will happen when a user indicates a desire for the opening of a thing that looks like it might be a file in Windows is almost beyond prediction: you may open a data file in your program of choice or you may run the latest worm. The most unfortunate aspect of this is that what will happen is so unpredictable that even Microsoft's own mailers can't be sure what will happen in response to a click that they handle to open a file that they have control over. Despite years of patching and tweaking, they keep being subject to attacks where the weakness is a failure to warn the user of potentially (but not necessarily) dangerous behavior in 'opening' objects linked to mail.

What it all means

In the end, what it means is simple: every single piece of malware capable of propagating itself via email without a user actively deciding to do something obviously stupid (like run a program received unexpectedly via mail) has relied on Microsoft mailers. Every time you have seen a news story about a new 'email virus' and every time you get a piece of email that your anti-virus software eats, and every time you hear of people getting infected with something nasty via email, the truth is that these are not 'email' vectors but very specifically Microsoft mailer vectors. While some also prey on user stupidity (e.g. the Swen variants that claim to be updates from Microsoft) they all rely on the careless design and afterthought security of Microsoft's mailers.

And Furthermore...

Since posting the URL of this page in a few places, I've had some very supportive mail. I find it amusing that I've not had anyone challenging this rant, since I make no claim to perfection and could be wrong on some point. However, the mail I have received has all encouraged me to add mention of other problems with Microsoft's mail software. I have responded directly to some of this mail and will respond here to the general class of mail.

I cannot claim to know all the problems with MS mailers, and don't seek to know them all. It is clear from occasionally being forced to use them and from mail I have received from others in that predicament that they are deeply flawed in a myriad of ways that primarily only affect users of the programs. As lousy as the user experience might be for users of Outlook and Outlook Express, I can't bring myself to care about that. I care about the broken pieces of those programs generating exit-wound splatter that has to be dealt with by those of us who have not chosen to be involved with the Microsoft mess. Even if you insist upon using some flavor of Microsoft Windows, you can choose better email software that does not have the same level of interoperability problems with the rest of the world and does not make your system a ripe target for mail worms. If you choose to use a Microsoft mailer anyway, I have no sympathy for your inabilities to

As a 'rant,' I have no intention of making this page an ongoing project which I edit as people inform me of an unending stream of new Outlook problems. This rant was generated by 2 spikes of interop trouble from Microsoft's mailers: the start of the now-permanent stream of new MS mailer worms and complaints by a number of users about how the addresses on this web site are formatted, with some users beligerently accusing me of an 'attack' because that standard-but-strange address format is mishandled.