How to Secure Your Computer: Maxim #6
- 5
- Add a Comment
- No Related Post
I get questions all the time from clients over at Ask the Geek about using a mail client’s message preview feature. Opinions vary, of course, but for this geek, it’s a bad idea. In order to preview a message, it has to be opened or rendered by the HTML engine. Think about how a PC can be infected by a malicious web site and you’ll immediately understand the danger: The same malicious programs can exist in scripts in HTML messages. It’s a serious security risk.
Always disable any message preview or auto-open features in your e-mail client. As an added layer of protection, view messages as text-only until you know they are safe.
Cheers!
The Geek
Have a question? It can be about anything from cooking to science, whatever you’re interested in: Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a Microsoft Certified Systems Engineer with Connective Computing, Inc. and loves to learn about anything and everything.
[tags]security, how to, ask the geek, ken harthun, e-mail, tips[/tags]
5 Comments
Scott
June 30th, 2007
at 11:44am
??? Added layer of protection? I would think that having the setting (in Outlook Express) to “Read all messages as plain text” would prevent the HTML engine from ever being invoked, and therefore any scripts contained in the message from being executed. Is this not so? I have received messages where the sender (the graphics.com newsletter, for example) does not provide alternative text and they display all the ugly ol’ HTML code, but nothing is rendered or executed.
Before this setting was added to OE, I did follow the advice to not use the preview pane, for the very reason stated. I see no reason to do that now when all of my accounts are set for plain text display. Please explain.
Scott
kiwijohn
June 30th, 2007
at 10:02pm
How to Secure Your Computer: Maxim #6 - Opening Preview Window:
If you use an email filtering program like Mailwasher, you can view the 1st 20 lines (or 100%) of every email as a text file before deciding whether to download it, delete it, bounce it or blacklist it. Being a text file it cannot contain any executable code. It has numerous other useful features, but these are the ones relevant to this article. http://www.mailwasher.com . It also saves a lot of time by eliminating spam before it gets downloaded.
Dick Wilson
July 1st, 2007
at 8:28am
It’s not really an e-mail client, but one program that has a safe preview is MailWasher (or the paid-for MailWasher Pro) for removing spam before it can go into your real e-mail client. It understands HTML and won’t open anything suspicious. The first time I trialled the free version, my first e-mail to their website http://www.firetrust.com was to verify the preview pane was safe.
gnomewriter
July 5th, 2007
at 4:27pm
Scott–good point. If you have the “text only” option set, then previewing would not invoke the HTML engine but would display only the HTML text. Chalk it up to the fact that I don’t use OE or Outlook *at all*.
kiwijohn–g’day, and thanks for the info. I’ve heard it’s a good proggie.
Dick–thanks, also, for the info on Mailwasher.
To All– thanks for keeping me informed and honest
leftystrat
July 9th, 2007
at 11:42am
As an admin, it drives me nuts. No matter how many times I’ve told people this is dangerous, they won’t listen. It seems to go back to most problems being on our side of the firewall.
What’s also frustrating is that you can’t set Outlook (2000) to send plain text.
Or read, as far as I’ve seen.
There’s a free tool called Pocketknife Peek, which integrates with Outlook to view the message without opening it. You could also run Outlook (and IE) under SandboxIE.
Lastly, I’m a little less nervous about opening email these days, as I use Thunderbird (under Ubuntu linux).