3.1.5 Message Processing Events and Sequencing Rules

The client SHOULD set the PidNamePhishingStamp property (section 2.2.1.1) if the client determines that the message is likely to be a phishing message, as specified in section 3.1.4.2.

Once the client determines that a message is a phishing message, it uses the RopGetPropertyIDsFromNames remote operation (ROP) ([MS-OXCROPS] section 2.2.8.1) to map the PidNamePhishingStamp named property to a property ID. The client then updates the value of the PidNamePhishingStamp property (section 2.2.1.1) to indicate that the message is likely to be a phishing message. The client SHOULD use the value of this property to warn the user when a message is likely to be a phishing message.

The value of the PidNamePhishingStamp property is calculated as follows:

  • A query for the fifth value in the PidTagAdditionalRenEntryIds property ([MS-OXPROPS] section 2.500) is performed. Let the queried value be called QueriedValue_FromEntryID.

  • The mask (0x0FFFFFFF) is then applied to QueriedValue_FromEntryID. That is, the bitwise operation (0x0FFFFFFF AND QueriedValue_FromEntryID) is performed to produce the STAMP field (section 2.2.1.1) of the PidNamePhishingStamp property.

§ If the user has not enabled functionality on the message, the value of the ENABLED field (section 2.2.1.1) is zero (0) and the final property value is the same as the value of the STAMP field. If the user determines that the message is not a phishing message and indicates as such by interaction with the user interface, the final PidNamePhishingStamp property value with ENABLED field 1 is produced by applying the bitwise operation (STAMP OR 0x10000000).

If the user enables the functionality of the phishing message, the PidNamePhishingStamp property value is changed and the client uses the RopSetProperties ROP ([MS-OXCROPS] section 2.2.8.6) to transmit the new value to the server. The client then uses the RopSaveChangesMessage ROP ([MS-OXCROPS] section 2.2.6.3) to commit the property to the server.

Show: