Re: DNS queries on HTML mail in Outlook

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 2 May 2005 20:50:19 -0500

Hi Danny,
Agreed, its some pretty weird stuff. I leave HTML mail open because I
have four AV and spam relays in front of my Exchange Server, and I run
AV and antispyware on my hosts. So, I guess if HTML mail is that robust,
it deserves to infect him. I haven't been nailed by it in over 7 years,
so maybe my time is running out :-))

I've notice this phenomenum before, but never got around to asking
anyone about it. What's interesting is that it bypasses the Web proxy
and firewall client configuration, as the queries are generated by the
SecureNAT client config. I *think* this may be related to a bug in
Outlook 2003 and its HTTP handling. I recall some with Microsoft QFE
mentioning this to me, I'll have to ask him about this. 


Tom and Deb Shinder's Configuring ISA Server 2004
MVP -- ISA Firewalls

-----Original Message-----
From: Danny [mailto:nocmonkey@xxxxxxxxx] 
Sent: Monday, May 02, 2005 1:45 PM
To: [ExchangeList]
Subject: [exchangelist] Re: DNS queries on HTML mail in Outlook

On 5/2/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> Hey folks, 
> Here's an interesting finding on an Outlook 2003 client. I found that
> an HTML message comes in that has A HREF references to it, Outlook
does a
> DNS query for the domains included in the message. I have pack
> showing this. Anyone ever head of such a thing? 

Interesting.  Any other interesting traffic?

I wouldn't know because I only read email in plain text format with
Microsoft products.  This is a significant malware mitigation


List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking:
Leading Network Software Directory:
No.1 ISA Server Resource Site:
Windows Security Resource Site:
Network Security Library:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: