[Outlook/Outlook Express] - Prevent Malicious Embedded IFRAMES??

Outlook version: Outlook 2000 / Outlook Express 6
Operating System: Win98SE
IE version: 6 with latest SP
{Security - Launching programs and files in an IFRAME is set to
PROMPT}
Antivirus: Norton AV 2002 with latest definitions

Having upgraded IE6 to the latest SP, I thought it was supposed to
prevent any embedded IFRAME code execution.

I have been getting HTML Mail from various senders that have the
content shown below. I can not find any attachments, nor any malicious
code in the HTML saved when saving the message.

Here is the source of the HTML in the message, I saved it to my local
drive:
/*
replaced the < and > with [ and ] and
my address with xxx@xxxxxxxxxxxxxxxxxxx.com
*/

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"]

HTML:

[HEAD]
[META http-equiv=Content-Type content= "text/html; charset=iso-8859-1"]
[META content= "MSHTML 6.00.2800.1106" name=GENERATOR][/HEAD]
[BODY][B]From:[/B] 22factoring [22factoring@terra.com.pe][BR][B]Sent:[/B] 
Thursday, November 21, 2002 5:22 PM[BR][B]To:[/B] 
[email]xxx@xxxxxxxxxxxxxxxxxxx.com[/email][BR][B]Subject:[/B] FrameSpacing[BR][IFRAME 
src= "cid:V34j80Mb14" width=0 height=0]
[/IFRAME][FONT 
size=+0][/FONT][/BODY]

However, upon viewing the msg, an email is placed in the Outbox and
sent with NO HEADERS and only the minimum forwarding headers for a
forwarded message and sent to only ONE of person in my address book, It
is always the same person, too. When I check Options on the message, the
Internet headers are completely empty!


Here is the message that was sent out, I saved it to my local drive:
/*
replaced the < and > with [ and ] and
my address and recipient's address with
xxx@xxxxxxxxxxxxxxxxxxx.com
*/

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"]

HTML:

[HEAD]
[META http-equiv=Content-Type content= "text/html; charset=iso-8859-1"]
[META content= "MSHTML 6.00.2800.1106" name=GENERATOR][/HEAD]
[BODY][B]From:[/B] [email]xxx@xxxxxxxxxxxxxxxxxxx.com[/email][BR][B]Sent:[/B] 
Thursday, November 21, 2002 8:48 PM[BR][B]To:[/B]
[email]xxx@xxxxxxxxxxxxxxxxxxx.com[/email][BR][B]Subject:[/B] FW: FrameSpacing[BR]
[DIV] [/DIV]
[BLOCKQUOTE 
style= "PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px 
solid"]
  [DIV class=OutlookMessageHeader dir=ltr align=left][FONT face=Tahoma 
  size=2]-----Original Message-----[BR][B]From:[/B] 22factoring 
  [mailto:22factoring@terra.com.pe][BR][B]Sent:[/B] Thursday, November 
21, 2002 
  5:22 PM[BR][B]To:[/B] [email]xxx@xxxxxxxxxxxxxxxxxxx.com[/email][BR][B]Subject:[/B] 
  FrameSpacing[BR][BR][/FONT][/DIV][IFRAME src= "cid:V34j80Mb14" width=0 
  height=0]
[/IFRAME][/BLOCKQUOTE][FONT size=+0][/FONT][/BODY]

Usually when you have a cid:xxxxxx you have an attachment or in-line
FILE. In this case, I see neither: cid:V34j80Mb14 (these numbers are
random in each msg)

Please tell me how to avoid this happening, it is driving me, and
my driend nuts. I'm pretty sure that many folks out there are seeing the
same thing happen on their system, they just don't know what is causing
it...

How can I disable embedded Scripting in Outlook?

 

Have you moved OE from the Restricted Sites Zone or altered the default security settings for that Zone?

 

I don't think so, I'll have to check.

This is primarily happening at home with OL2K.
I don't have any problem with OE6 doing it at
work because I get the same messages as I
have my account at work setup to leave
messages on the server.

It is a very puzzling dilemna I have here as it
only sends the msg to one of my contacts and it
is always the same one. I can not find any code
in the message that would actually send the msg.

 

I am a developer by trade and am very computer literate. I have tried everything I know to figure this one out and none of the
so-called MVP's on the MS NG's will help. I have found that if the
question isn't easy, the MVP's won't help...

 

The forwards can't be the result of something as obvious as rule? Can they?

 

God, no, I wouldn't be *that* dumb..I have no forwarding rules in
effect, or even defined..

 

As you state, you experience the problem with Outlook. Not Outlook Express. Moving this to the Other Internet Software forum.

And please do not cross post into other forums in order to draw attention to your thread. Simply reply to the original thread so it will be bumped to the top.

Thank you for your cooperation.

 

I'd recommend getting another opinion about whether or not the system is clean. You need to be sure.

HOUSECALL http://housecall.antivirus.com/ (free scan)

SYMANTEC http://security2.norton.com/ssc/home.asp?langid=ie&venid=sym&plfid=23&pkj=QRPSFCSGFZVDTPSOERZ (free scan)

GRISOFT http://www.grisoft.com/html/us_index.htm (free AV software and updates)

TROJANS:

TAUSCAN http://www.agnitum.com/download/ (free trial)

PANDA http://www.pandasoftware.com/ (free scan)

VIRUS REMOVAL TOOLS: http://securityresponse.symantec.com/avcenter/tools.list.html (free downloads for specific needs)

 

I was wondering HOW to get the post moved to the SECURITY/VIRUS section...

 

Do you think you could move it THERE, please??

 

Have you read this Microsoft Knowledge Base article?

OL2000: Scripts Embedded in HTML Messages Run Without Warning