When Outlook doesn’t detect a spam message

A current example of what to watch for and what to do when Outlook doesn’t detect a new type of spam message.

In the last day or so we’ve started seeing some obvious spam messages in our Inbox. ‘Obvious’ to us but not to Outlook 2007’s Junk e-mail filter on the ‘High’ setting. We’ve received over 20 in a day with none detected by Outlook 2007.

The message is a typical ‘Greeting Card’ message, pretending to be from one of the electronic greeting card site. (We’ve blurred some items for privacy or security reasons.)

Outlook 2007 - fake Greeting card message.jpg image from When Outlook doesn’t detect a spam message at Office-Watch.com

 

It has several ‘points of interest’ as Sherlock Holmes might say ..



  • The From email address changes in each copy of the message. Each address is faked and if it’s someone’s real address they are almost certainly unconnected with the unwanted mailing. In other words, there’s no point in replying.
  • GreetingCard.org is a real web site but the main link in the message (blurred for security reasons) is NOT to that web site.
  • The main link in the message ends with ‘.exe’ (see circled text) denoting a download of a program – that’s never a good idea. This message is particularly blatant, normally spam/phishing emails attempt to hide the fact that they are trying to download a ‘nastie’ to your computer.
  • Outlook 2007 hasn’t detected the message as spam nor phishing (the links have not been disabled).
  • This is sent as plain text message. If Outlook 2007 suspects a phishing message it will display the message in plain text so you can see all the links.

‘Create Rule’ options

Eventually (and hopefully) an update to the Junk E-mail filter for Outlook 2003 and Outlook 2007 in the meantime you can either delete the messages manually or make an Outlook rule to deal with the messages automatically.

The trick with making any Outlook rule is to make sure the rule applies only to the intended messages – no more and no less. Too broad a rule will work on messages you want to see. Too narrow a rule will leave unwanted messages in your Inbox.

Recent versions of Outlook trying to ease rule creation by inserting details from an existing message but sometimes the inserted information won’t work as you’d like – and the spam message above is an example of that.

To start a rule from an existing message, right-click on the message and choose ‘Create Rule’. Here’s what it looks like for the spam message above:

Outlook 2007 - Create Rule.jpg image from When Outlook doesn’t detect a spam message at Office-Watch.com

 

You can select one of more of top three options to define which messages will be affected by the rule. The bottom section controls what happens when a message arrives which matches the conditions. This dialog box is only a small part of the many Outlook Rule options.

The ‘From’ option is a little deceptive. It appears to mean that messages from any account named ‘greetingcard.org’ will satisfy the condition. That’s NOT the case – it actually applies to messages from that name and email address. Since most spam comes from constantly changing (and fake) addresses, choosing this condition for spam messages is fruitless.

The Subject is a more likely candidate for a condition. However spam subject lines also change from time to time so a condition based on that exact wording might not work for long. Also there’s a slim possibility that you’ll miss a genuine ‘e-card’ sent to you.

To get around these limitations you need to click on the ‘Advanced Options’ button for some more subtle conditions. There’s a long list of conditions but the ones we’re after use the phrase ‘specific words’.

Outlook 2007 - Specific Words options in rule.jpg image from When Outlook doesn’t detect a spam message at Office-Watch.com

 

Instead of matching an entire sender’s name you can insert key words or phrases to look for instead.

In this case we’ve made a rule that looks for the phrase ‘Greetingcard.org’ in the senders address which will trigger regardless of the changing email address used by spammers. NOTE: this example will also trigger for any legitimate messages you might receive from the owners of that domain.

‘Specific Words’ conditions are available for the message body (though Outlook doesn’t scan all of a long email), message header, the FROM name/address and the recipients name/address. The message subject can also be checked for specific words.

NOTE: this example will also trigger for any legitimate messages you might receive from the owners of the GreetingCard.org domain. If that’s a possibility for you, then you might want to add a subject line condition.

As you can see we’ve selected the action of moving the unwanted message to the Junk E-mail folder (which is where Outlook should put it). That gives us a chance to find the message if the rule catches a legitimate message by mistake.