Outlook Redemption - What is it in English 1

[goombawaho]

Had a customer that was paranoid that someone was receiving his e-mails via automated, invisible BCC: out of his Outlook e-mail.

The guy was not a paranoid schizophrenic and had some evidence related to him by someone else that made this sound plausible.

Anyway, his computer had this Outlook Redemption on it (

http://www.dimastr.com/redemption/)

and I was trying to figure out if this is part of something that would allow the sending of stealthy/invisible BCC: of his e-mails.

Anyone care to say what it actually does and if it could help in the above conspiracy theory.

 

[strongm]

Outlook Redemption could feasibly be used for such a purpose - it is designed to allow automation of Outlook without getting the security prompt.

 

[goombawaho]

That's what I was thinking. That's pretty scary stuff. Does anyone know how to remove the COM Add-In vs. just disabling it???

 

[strongm]

>COM Add-In

COM addins can be unregistered using regsvr32.exe

However ...

Outlook Redemption is usually used to enable legitimate automated mailing solutions.Unregistering it will cause any such applications to fail.

And Outlook Redemption frankly isn't typically a good way for a trojan or secret mailbot to work.

Note that you would not need to use Outlook Redemption within Outlook itself, since Outlook trusts itself and VBA code in Outlook therefore does not generate security prompts, and thus frankly does not need Redemption (unless you needed access to some of the more advanced Extended MAPI properties that Outlook VBA cannot normally access)

 

[goombawaho]

How would I find out if this add-in had been used to secretly do a BCC on all e-mails.

I searched the registry for REDEMPTION and found lots of occurences, but nothing with a data value of "email@domain.com"

I deleted the EXTEND.DAT in the Outlook folder. That cleared it out as being an option in the Add-Ins list. Is it now disabled beyond a reasonable doubt?

 

[strongm]

>I deleted the EXTEND.DAT in the Outlook folder

Were you advised to do this by someone? That's just Outlook's cache of the registry. If you delete it then Outlook simply recreates it.

>That cleared it out as being an option in the Add-Ins list
Odd - I wouldn't expect (and have never seen) Redemption to appear as an Outlook add-ins. Redemption is a standard COM library, not an Outlook COM add-in.

>Is it now disabled beyond a reasonable doubt?
No.

I'd suggest that, rather than immediately leaping to the conclusion that Redemption in Outlook is involved (as already mentioned there may be legitimate reasons for Redemption being installed; for example Sype's Outlook toolbar installs and uses Redemption) you have a quick look to see what if any VBA code your client's Outlook is running.

I should just point out that sending a mail with a BCC from Outlook (whether from local macro code or via automation_)shows the BCC recipient in the mail item in the Sent Items folder. It is only the recipients who cannot see the BCC line. The sender does not suffer from this restriction.

There are also a number of other ways that a copy of an email might be being delivered to an alternative recipient - for example the recipient may be on an Exchange Server with a PA or deputy set up to receive copies of all their emails

 

[goombawaho]

Here's the deal. This guy used his OWN computer and his AOL email and was employed at a company. He DID log in to their server periodcially, so a script could have been used to install whatever they wanted. Then he left and started his own company. Then someone advised him that emails from him were showing up at his old employer but he had never sent them.

I'm torn as to whether to trust these reports WITHOUT an actual sample email that could be forwarded from those that received it as a BCC.

Redemption WAS listed in the ADD-INs list along with Google something and iTunes something. When I edited the extend.dat with notepad, it was clearly visible in text along with those other add-ins. I can get a screen shot of all this if it would help. I decided to delete it myself and then Outlook re-created it but this time without mention of the Redemption in the extend.dat text.

My main goal though is just to find any possible source of secret email BCCs back to his old employer and snuff them out. Without a hard core solution to this, I guess telling him "if you're really paranoid, format and reload" is the answer.

 

[strongm]

>Redemption WAS listed in the ADD-INs

Um - that will have been the Redemption Helper Outlook Extension, which is not really a standard Outlook add-in (it is an Exchange Client Extension - which Microsoft, in their wisdom, have seen fit to list as an add-in in versions of Outlook prior to 2007).

I'll just repeat: Outlook macros do not require Redemption (except if you want to do some esoteric Extendeded MAPI stuff); it is required for external automation by 3rd party applications. Removing any and all references to Redemption in Outlook itself will not stop those 3rd party apps from using Redemption, as they will have their own references. Unregistering the library as I previously advised should o the trick (but I'm still not convinced that Redemption is involved her)

I presume you've checked his Outlook Rules?

 

[goombawaho]

Yeah, it's not in the rules.

Well, I guess I'm over my head in terms of troubleshooting this any further.

Nobody has given me any concrete advice on anything else I could check.

What is the dll that needs to be unregistered??

 

[strongm]

The dll is redemption.dll

>Nobody has given me any concrete advice on anything else I could check

see what if any VBA code your client's Outlook is running

 

[goombawaho]

How to do that? what VBA code is running

 

[strongm]

In Outlook from the menu select:

Tools/Macro/Visual Basic Editor

This will launch an editor that will allow you to see all the internal VBA code that Outlook might be running (it will not necessarily show code from add-ins, however)

 

[donb01]

If I was a system administrator and I wanted to spy on someone I would set it up to do the Bcc at the server level rather than messing with the individual computer where the person may find out about it or disable it somehow.

I assume his old company is running an exchange server and he would have to be connected to their network to still be communicating with it? If they are running a linux or some other mail server is his e-mail client still set up to communicate with it? Is there any kind of automated VPN connection running back to his old employer that would still have him connecting to their server?

 

[goombawaho]

No VPN. He is no longer connecting to his former company.

He has always been using his AOL account via Outlook on his own laptop. But he did have a corporate account, but I'm not sure if he ever checked it via Outlook while connected to their network.

I know I can't give you much to go on here.

 

[strongm]

>I would set it up to do the Bcc at the server level

I think we already suggested this possibility

 

[goombawaho]

Okay. Sorry to go on and on about this, but it's just a little out of my understanding level in order to really troubleshoot the whole issue. I'll look at the visual basic stuff and then I'm giving up if no smoking guns.

Of course, this whole thing could be B.S. since it's like a third hand report of emails being sent. You can hardly trust second hand accounts and now I'm dealing with a third piece in the pie.