Finding Redemption


This programming library lets you use Outlook macros without security warnings

If you recently upgraded to Outlook 2002, you might have found that some of the Outlook VBA macros I've presented in my Outlook VBA on Demand columns now trigger a security prompt when the code tries to access mail recipients or send a message. These prompts are among the main effects of the security measures Microsoft added in Outlook 2002 and the earlier Outlook Email Security Update to make it harder to use Outlook to propagate viruses.

You can disable the prompts in a couple of ways. If you connect to Exchange Server, the administrator can implement central security settings that allow programmatic access to certain features, thereby preventing the prompts. If your Exchange environment doesn't include the security settings or if you're a standalone Outlook user, one way to dodge the security prompts is to abandon VBA and Visual Basic (VB) and rewrite your code in C++ or Delphi to use the Extended Messaging API (MAPI) library. That solution isn't practical, though, for most power users or administrators who aren't full-time programmers.

Luckily, an answer also exists for VBA and VB. Outlook Redemption ( is a programming library developed by an Outlook Most Valuable Professional (MVP—Microsoft's award for volunteers who help other people get more from Microsoft products). Because Redemption is similar to the Outlook object model, converting most Outlook code to Redemption code is relatively easy. To demonstrate how it works, I've rewritten the code in "Showing the Sender's Email Address," June 2000, InstantDoc ID 8630—which shows the sender's email address, not just the display name, in a mail-folder view—to use Redemption. You can compare the two versions to readily see the changes needed to use Redemption.

Seeking Redemption
To use the Redemption library in Outlook VBA, you first need to download it from the address above and install it. A free version is available for you to try. Then, open the VBA environment and use Tools, References to add a reference to SafeOutlook Library to your project.

Listing 1 shows the code that goes in the built-in ThisOutlookSession module to automatically fill a FromAddress property with the sender's address. The only procedure from my earlier article that I updated is olInboxItems_ItemAdd. To see the FromAddress property whose value the code sets, you need to add that property to the view. The Field Chooser will list it under User-defined properties in folder. If you don't see it there, create a new FromAddress text property.

Redemption includes a "safe" analog for each Outlook item type, with virtually identical properties. To use Redemption's version of an Outlook item, create the appropriate object—SafeMailItem here because we're working with messages—then set its Item property to the actual Outlook item object, as callout A in Listing 1 shows.

A Redemption object supports almost exactly the same properties and methods as the corresponding Outlook object. (The Redemption Web site lists exceptions.) For Outlook properties and methods that trigger security prompts, Redemption provides its own versions that avoid the prompts. Otherwise, it forwards calls to properties and methods to the Outlook object that you assign to the Redemption object's Item property. This behavior lets you easily rewrite Outlook code to use Redemption objects. In many cases, all you need to do is change the parent object so that you're using the safe Redemption object. For example, the statement at callout B in Listing 1 adds a property to hold the sender address by using the same UserProperties.Add method as it would for an Outlook MailItem object.

Obtaining the sender's address is complicated because you need to consider both Internet senders and internal Exchange senders. As I explained in "Using Collaboration Data Objects,", InstantDoc ID 24392, you can retrieve an Exchange sender's SMTP address as a property of the AddressEntry object with Collaboration Data Objects (CDO). However, CDO in Outlook 2002 is subject to the same security prompts as Outlook, so you need to use Redemption to get a "safe" AddressEntry object.

Redemption includes a Fields collection that lets you access MAPI properties that provide information you can't get from Outlook object-model properties. In Listing 2, the R_GetSenderAddress() function declares two constants corresponding to the property tags that identify different MAPI properties, then obtains the values of those properties from the Fields collection. For example, the statement at callout A in Listing 2 sets the value of a string variable to the sender's address type (e.g., SMTP, EX).

Redemption adds to its SafeMailItem the Sender property, which the Outlook MailItem doesn't have. This property returns a SafeAddressEntry object, which is analogous to the AddressEntry object in CDO. Although Sender has a few useful properties of its own (e.g., Address), you might need to use its Fields collection to dig deeper into the properties. For example, at callout B in Listing 2, the R_GetSenderAddress() routine uses the Fields collection from the sender (which the objSenderAE object represents) to return the SMTP email address for the Exchange sender.

You can place the code in Listing 2 either in the ThisOutlookSession module or in a separate module and use the R_GetSenderAddress() function any time you want to get the address of a sender without displaying Outlook security prompts.

How does Microsoft feel about Redemption? I haven't seen any official opinion, but individuals at Microsoft have pointed out that it makes Outlook less secure. They're absolutely right about that. Redemption is scriptable; therefore, malicious VBScript code could use it. One way to make it more secure is to rename the Redemption.dll file to something a hacker isn't likely to guess, like r8gh36.dll. A script then would need to know the new name and use it to create Redemption objects, as in

Set objSafeMail =
  CreateObject _

If you already have strong protection against viruses and find that the programming restrictions introduced with the Outlook Email Security Update are hurting your productivity, Redemption provides an easy-to-use solution.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.