Headers anyone
Whilst they are at it make it possible to see the headers without doing a jig and sacrificing our first born. To be fair Microsoft are better than others in this area Google mail on phones I am thinking of you.
Users are urging Microsoft to rethink how it shows sender email addresses in Outlook because phishing criminals are taking advantage, using helpful, friendly names to serve up emails loaded with malicious intent. The problem has been rumbling for a while, attracting more than 100 votes in Microsoft's support forums. It isn't a …
Yes, best to avoid Outlook. And Gmail client. And the Android fake email which is just a client to a Google server that gets all the credentials. If you have to have an Android client, use K9 mail.
I also avoid web (browser) based email clients.
I looked at Evolution but couldn't see how to setup fetching email or sending from Gmail accounts, which seems to work in Thunderbird, though 91.x is last sane GUI.
I'll second the vote for FairEmail. Its one "disadvantage" is that it has so many options that it can take a while to set up to just the way you like it, in case you don't like a default. Of course for many of us that's a big advantage... and it is well supported by its developer, at least if you pay the pittance for a Pro version.
^^This, 100 times over. Why doesn't Outlook provide the means to save the source email as a plain text file? After all, that's what an email is. Microsoft only allows you to save an email in a proprietary format (.msg) or as text, but only the body. As a developer, it is sometimes extremely useful to be able to save an email message so you can pull it apart, especially since a message may contain different plain text and HTML portions which will render differently on different email clients. It is actually simpler to open a telnet client, connect to your SMTP server on port 25 and speak SMTP to it...
You say that, but I'm pretty sure Thunderbird allows me to save a raw email. Googling it suggests that you can even drag an email to the desktop and that will create a raw file for it there, not that the idea of saving things directly to the desktop doesn't make me twitch. Conflating the OS background window with the file system is one of the many things Windows has to answer for.
My current pet peeves with Microsoft are the search functionality on Sharepoint and Outlook. Why is the search on Sharepoint tied to my frigging OneDrive, so I can’t just search Sharepoint without also looking through my files? What’s that all about then, other than annoying. For example I have 300+ copies of a form on my onedrive all saved as form name, a customer or staff identifier and the date. If I do a search for the update to that form on Sharepoint I have to wade through the 300+ copies I have and other detritus on my onedrive before possibly finding the new form.
If I wanted to search the bloody onedrive I would have done so myself, but I didn’t because I didn’t want to.
Also on Outlook if I’m searching one of several shared mailboxes I have access to, why:
when I select my personal inbox does it default to search “current folder”
But
when I search a shared inbox does it default to “all mailboxes”?
I’ve tried in vain to find how to change those but Microsoft seem to think they shouldn’t be customisable.
To answer both you and Anon:
One Drive is Sharepoint, just with a different front end on it. on the back end, it's the same dumpster fire. the search functionality doesn't a) know the difference; or b) can't be configured to be more selective.
The Outlook client on mobile? The Search function also trolls through sharepoint and OneDrive. Dumpster fire, I'm telling you.
For Outlook search on the desktop? It's certainly not reliable unless you happen to remember exactly what you are looking for and get lucky.
One Drive is Sharepoint, just with a different front end on it. on the back end, it's the same dumpster fire. the search functionality doesn't a) know the difference; or b) can't be configured to be more selective.
Deep down I knew something along those lines was the case. It’s just bloody annoying when what should be a 30 second process takes 10 - 15 minutes because Microsoft can’t be arsed.
"Whilst they are at it make it possible to see the headers without doing a jig and sacrificing our first born"
This is indeed a pet peeve, and secondly that they provide a means of switching of clickable links within an email.
If a user can click a link, they probably will.
Outlook's Web version, which (being a Linux user) is the only one I use, does have a simple way to show headers when the mail message is being viewed: Three-dot menu -> View -> View message details. This shows the headers, but not the raw message data. Useful for checking suspicious mails.
That's all ?
And they expect Redmond to act on that pitifully small amount of user pressure ?
Gosh, with the millions upon millions of people who use Outlook, not to mention the tens of millions in a business environment, you'd think that, if there were a problem all those users were all uppity about, there'd be a smidgen more than 100 votes to make a change.
No wonder nothing changes . . .
Depends. Actual end users won’t upvote this since they probably don’t know where to find it. Any of those votes might be of an admin that represent 100, 1000, or 100000 end users. End users might even *dislike* the change, especially the ones in marketing departments.
But Outlook isn’t the only mail client that just uses a “friendly name”, I’d prefer it if any and all mail clients just went back to showing the full sender email address in the from field. With the reply-to as an extra field. And maybe a blue or otherwise coloured check to show that the sender has passed strict spf validation (-all, not ?all). I’d prefer blocking most, that can’t even do that, but apparently that’s quite a lot of our customers and suppliers…
The SPF thing is possible in exchange online now, you can set it to show a warning banner saying the sender could not be validated and there's an impersonation risk.
It's part of the defender suite though, i think.
I personally quarantine softfails and missing SPF records, but i've noticed in eastern europe and asia for example (and in many many small businesses), SPF adoption is absolutely shocking. So it may not always be a viable option.
We tried implemetning the hard spf rules before, but many of the businesses we count as customers were getting blocked by it.
Of course, these same customesr tend to get compromised, which results in their emails being used to try and do the same to us, so, maybe we should tune it up again...
User Voice (the old forum that Microsoft shut down and wiped without migrating all the questions over) saw interactions in the hundreds and maybe thousands, and the new MS developed platform sees a bit less. These are expected numbers, and honestly I wouldn't be surprised if Microsoft ranks request popularity by "number of users each vote's admin represents in Entra ID". Which would quickly spiral into the hundreds of thousands if not millions.
There aren't a lot of votes but the votes that are there are massively important. But even with that pressure, Microsoft's track record includes more postponing and hand-waving than it does actual fixes. Guess they don't care if joeschmoe.onmicrosoft.com closes shop and dumps 10k users onto an internal Nextcloud instance instead.
Where I work, all emails that originate outside our domain are flagged with [External] in front of the Subject line and we also see a header that warns that the email isn't from someone with our organization. We use Microsoft 365 and I think it's something the mail admins were able to turn on.
But how is that different from the sender using their real email address, but just changing the display name in their email client, such that the recipient sees "Sir Keir Starmer" instead of scammer@scamdomain.com?
PS. I would prefer to see recipient display name AND email address for external email, although I don't like clutter.
"Where I work, all emails that originate outside our domain are flagged with [External] in front of the Subject line "
Yes we have this too, it's just a couple of parameters to activate BUT it doesn't change a single thing. Users ignore these messages as they seem the same banner 100 times day.
It's attachments and links that pose the threat, users are busy and don't want to think about the content, they just want to get on with their business and that's understandable.
MS needs to give us the options/choices that help stop users from being able to make the mistake in the first place.
All the emails from customers, suppliers, and the "cloud" systems the company subscribes to will be flagged [External], because they are.
Maybe the scammers can't easily pretend to be my CEO, but they can trivially pretend to be a supplier who needs paying, or the document management system sending another email full of links...
So it doesn't help.
I have a shopping list of MS "features" that are effectively blocks on estate admins being able to ... well admin.
The worst was working for an education provider who mandated Teams calls used backgrounds so tutors could not see peoples houses.
Now you would *think* that you could find an option in the bowels of O365 admin to mandate that for all users.
Nope. And it's not an accident. MS just don't want admins setting policies. Because I suspect the very first thing the polices would do is block ads, and MS crap.
This post has been deleted by its author
It's only been 40 years since email became widely used and a scant 30 years since email addresses have become a concept known in even the tiniest village! THINK ABOUT THE PHBs! Won't someone think about the PHBs!?!?!?
Email existed long before Websites.
Even existed parallel / separate to Arpanet and Bitnet.
I had an email account from about 1986 that I accessed via X.25 PAD dialup and the server had gateways to other systems.
Telegraph was optical before 1830s electrical and from 1890s was available outside P.O.
QWERTY telegraph (teleprinters later Telex) was very like email and is from 1928. Also responsible for the PC Keyboard and @ symbol.
Fax was widespread in the 1990s, but started in Victorian era.
MS is serially stupid with helpful enhancements like Autorun, file & print sharing on by default, hiding file extensions, treating archives as directories etc.
SeaMonkey and, presumably Thunderbird shows the "friendly" version when listing (it saves column width which is reasonable) and possibly at the head of the view pane depending on the window size, it always displays the full address when replying. Doesn't Outlook do the same or is it too much trouble to glance at that to check just who it is you're writing to?
The current version of Thunderbird (v128) by default now includes the email address of the sender in the email list...
If the "Show only display name for people in my address book" option is enabled only the "friendly name" is shown
Even so, the email preview has, for as long as I can remember, included the email address in the "From" field
M$ Outlook has always made it difficult to show the actual sender email :(
I have a solution to kill all phishing attacks. . . we go back to Pine or Elm from the command prompt. Maybe even just cat out your /var/mail/spool directly.
Got a link? Sure, it'll just show up as text you can't do anything with until you copy/paste it elsewhere. Embedded MIME items, nope. Sneaky "Friendly" names, nope. Tracking cookies, HA!
The quest to make things easy has made things unsafe. Microsoft, Google, Apple, et al are all trying to make us sleepy mouth breathers who don't know what we're doing and don't need to because they've given us AI assistants and simple UI and happy starshine friendly magic -- unfortunately magic that doesn't work and often backfires.
This ties into the other Reg article about "The Cybersecurity Trifecta..." . Mail worked just fine when it was just text, the rot only setting in when some smartass realized you could display the message as a web page with all the formatting goodies associated with web pages. Even that's mostly harmless but once you start not just adding links to the message but automatically following them then you've just got yourselves in a world of hurt.
But we can't stop it because its how we "monetize" things -- the entire Internet ecosystem is perched uneasily on top of a pyramid of unstable, insecure, software. It need not be like this, especially as most people are just trying to get a bit of work done.
FWIW -- I use Thunderbird because its a proper mail client, it handles multiple mail accounts and it can be persuaded to do nothing with a message until told (I'm a plain text kind of a guy as well). I just hope they can resist the temptation to continually improve it.....
> ...some smartass realized you could display the message as a web page with all the formatting goodies associated with web pages.
That didn't just happen. Note that it hasn't 'just happened' in Mutt, Pine, or Elm. It was a major "upgrade" to an email client. Big chunk of HTML code and linking. We have HTML emails because *users* loved it. Fonts! Cats!
> I use Thunderbird...
IIRC (Wikipedia is not helpful): HTML email was a key feature of Netscape Navigator, Thunderbird's spiritual ancestor. Netscape was a disruptive force, and not all for the good.
The enterprising enterprise can just update the global address book so the value of the Friendly Name (whatever the Exchange fieldname is internally) is the same as the Email Address. Presto! Now if you receive an email with a friendly-looking name, it's external and/or phishing! If you must have a friendly name, repurpose another field or use one of the custom fields.
Repurposing fields is the time-honoured way of working around brain-dead (non-)functionality in an application. For example, iOS Contacts doesn't have categories. So in Google Contacts I create a Profile field with the group name at the end of the (spoofed) url, this shows up in the url section of iOS Contacts and is searchable.
This sounds just like that other fantastic idea of Microsoft’s - hiding file extensions!! And after many many years of this IMMENSELY irritating and bug-inducing “feature”, M$ STILL insist on enabling it by default
Or what about autoplay of CD’s? (remember those?) Wasn’t THAT a stellar idea!! Didn’t bork anyone’s W95 machines at all! And I bet it’s still enabled by default if you manage to find a CD player to plug into your machine
I’ve said it before but EVERYTHING MS touches turns to utter shite
Ugh. Hiding of extensions allowed for a virus at one place I worked - the virus hid folders on a network share, and put .exe files there with a folder icon and filename the same as the folder. If you had extensions hidden and not showing hidden files, things looked perfectly normal, so you double-clicked a subfolder to open it...
I've enabled text only email in outlook 360 on my account at work. It truly pisses off our marketing team. However, it has proven very helpful as my emails always reach suppliers. The idiots had enabled some tracking nonsense in the email signatures they tried to force everyone to use. Suppliers mail server rightly blocked them as spam.
I am not certain that Outlook being 'popular' is the right phrase to use unless you work for Microsoft Marketing.
It's the most used because there are no plausible alternatives with a better UI, and that in itself is driven by the fact that Exchange has somehow escaped the attention of monopoly commissions as it still doesn't fully talk Open Standards. 'Outlook being rammed down user's throats' is IMHO a lot more accurate.
And the new version is even worse. Frankly, I have arrived at a point where I know that when Microsoft calls something new, it usually translates as 'worse'.
.. can we also please, please, PLEASE get rid of this idiocy that labels dates as 'yesterday', 'today' and 'tomorrow' instead of showing the date?
It's a fantastic pain in the proverbial if you're working through information because it requires you to translate that human-unfriendly expression into data you can work with, so it's not friendly, it increases cognitive load for anything more than casual home use.
And no, Microsoft isn't the only one. Apple is doing this crap as well, and neither offers an option to nuke that crap.
Not in Mail, which is where you really need it. Ditto for Outlook.
And yes, I submitted that ages ago as a bug to Apple, but I'm guessing they see it as a feature. A bit disappointing because in other areas they give you at least the choice, but in this they're doing a Microsoft, God knows why.
I never understood why this was necessary, it's always been bloody annoying at work. Oh yes 'cos the earliest form of tech DEI where we allowed average Joe Sixpack to have a computer, made everything suitable for a child of 5, so Joe didn't need any experience or knowledge it takes to own and operate computers properly!!
Or we could just fix email, which is the most out-of-date protocol still in active use, and has just had TLS etc. bolted onto portions of it.
Like telnet, FTP, SSH1, etc. it needs to die, and be replaced with a true end-to-end encrypted message with identity verification throughout (i.e. individual certificates for each sender/recipient combo, etc.) that isn't reliant on 10,000 options being set correctly and then still letting spoofed mail through in a manner where it can be confusingly interpreted as genuine (e.g. similar domain name, etc.).
Honestly, at this point, the fact that we're even THINKING of leaving SMTP etc. as they are and just bolting more retro-fit tech to them to try to solve problems is laughable.
I noticed that you put [sic] after the pluralised form of the company name "Microsoft are ..." - I don't understand this, surely a company is made up of many people who are collectively making a decision. I don't think it's a good idea to see a company as a single non-human entity which is implied if you write "Microsoft is ...".
I'm venturing a guess here: Maybe the author of that forum post was marooned on a remote island on the wrong side of the Atlantic, where the natives drive on the wrong side of the road, and spell words like "jail", "plow", "curb", and "tire" the wrong way.
Some rules have to be somewhat arbitrary. You just have to make a choice and stick with it. Results in different conventions in different places. Tabs vs spaces, anyone? I think plural for an organisation is a "Britishism", while singular for an organisation is an "Americanism". Neither is grammatically incorrect. One or the other may be jarring depending on what you're used to hearing.
In the same vein, a British author wouldn't generally be as pedantic as to put [sic] after an obvious Americanism, as if to draw attention to it, and say "my version of English is correct".
As it happens, here in England, is where English is spoken. Having some upstart colonials trying to dictate "correct" usage of our native tongue does jar somewhat. It positively makes one drop one's tiffin, don't you know?
I suspect marketing, aided and abetted by the "clean interface" movement, is to blame. The "clean interface" crowd's desire for software unencumbered by software is usually realized by either not providing needed functionality, as in this case, or sending the user on an Easter egg hunt to find it*. Marketing will want whatever silly sender name they have dreamed up to be displayed to the user; security consequences be damned*.
* True story: when my daughter took a reading comprehension assessment, she called me to assist because the site was broken. The text she was supposed to read abruptly stopped. After some fiddling, I discovered that the geniuses who designed the interface hid the scroll bars in peek-a-boo style so that if your mouse got close enough, you could find them. Unfortunately, time was a test component, so she scored artificially low. No, I did not put the work broken in quotes because the site was broken. It used a lousy design that made it more difficult than it should have been to use it. As another aside, I don't understand the desire to use sh*ty JavaScript components like that one when a native browser read-only textarea would have worked fine and been more friendly in screen readers for the disabled.
* A fair share of the blame for the success of phishing in general falls on Marketing. They make throwaway domains and email senders for promotions. In doing so, they educate the user that the communications source and website location for the company they deal with does change. An education that phishers are all too eager to cash in on.
"would have worked fine and been more friendly in screen readers for the disabled."
I think that quite a few sites and applications could be improved by changes that would also make them more accessible. It's a shame that the bad actors don't get more grief on this point.
You expect this from Microsoft.
Thunderbird is the most annoying example of this. The latest versions have made it impossible to use my addons which display the real email address in the email lists.
So much for Mozilla privacy - as usual they are only interested in making trivial changes to messi up the user interface as much as possible and to destroy sensible addons