It is my understanding that viruses are contracted by opening an attachment that is “infected.”
Is it possible to contract a virus simply by opening an e-mail and leave any attachments well enough alone?
Hello Bert. Given current technologies the most likely answer is “no” – unless someone has perfected embedding a script into the email message header itself there should be no way to execute “true” malware by viewing a text-based email. If you accept email in text-only format (i.e. no HTML) then you should be able to head off many potential problems.
If I’m not mistaken (since I spend the bulk of my computer time doing “honest” IT activities so I don’t pay that much attention to illegal how-to methods), some spammers will attach “false” jpegs to an email and viewing these will allow the sender to extract some information from the receipient’s computer (sort of like an http get for those who understand what I’m talking about). This is why programs such as Outlook/Outlook express have several file types “turned off” by default, even from a previewing perspective (because to preview the reader has to download and uncompress the jpeg/attachment).
Whether or not Microsoft products have an existing/future security hole that will allow enhanced remote capabilities is, of course, in the realm of those who delve into such matters.
Best,
Ron
Thanks Ron.
Can Viruses be passed on through HTML messages?
My e-mail program accepts HTML and I can’t find a way to change that.
Hello Bert – I apologize for the slow reply: pre/post Superbowl rigor mortis. Anyway…
At this point I would still say NO to an actual “virus”. Are you inviting potential harm – YES. This is an article that discusses the security hole potential of HTML email, along with other nonsecurity related reasons:
7 reasons why HTML e-mail is EVIL!!!
This article is gives an overview of how some email-based malware (aka malicious software – I know, I hate some of these new terms myself but alas it is within my profession) along with some preventive measures:
http://www.windowsecurity.com/articles/Protecting_Email_Viruses_Malware.html
If you are using the Outlook/Outlook express variety of email software, to enable “plain text” mode:
-
For Outlook Express (comes with Windows XP et al.):
a. Under the “Tools” menu, click on “Options” then click on the “Read” tab.
b. Make sure that “Read all messages in plain text” is checked. -
Outlook (comes with Microsoft Office):
a. Under the “Tools” menu, click on “Options” then click on the “Mail Format” tab (at least this is how it is with the 2003 version, previous versions may vary slightly).
b. Under “Compose in this message format:” select “Plain Text”. This lets you write emails in plain text only.
c. Under the “Preferences” tab, click on the “Email Options” button.
d. Make sure that “Read all standard mail in plain text” is checked. This lets you read mail in plain text only.
Other Windows-based programs should have something similar. Can some of the Mac-based folks post something in case Bert is on a Mac? My only access to a Mac is an emulator that runs in a window on my workstation so it really isn’t the best source.
Note that a side-effect of going “plain text only” is that if someone sends you html-based email you will see the tags interspersed with the message text. At this point you need to determine if the message is from a trusted source and then you can either:
- TEMPORARILY disabled plain text mode, or
- save the email to a temporary html file and display in a browser.
You may also want to see if your ISP (if at-home service) or sysadmin (if at work) has some sort of spam filter service available. This can be a pain as well but once it is tuned to your specific case it is well worth the hassle. If you have any more questions please ask and I’ll do my best to reply as succintly as possible, or point you to a better source for answers. Sorry for the long reply but I hope it helps.
Best,
Ron
I’m surprised I didn’t see anything about viewing remote images. Many spammers will use remote images as a way to identify “true” email addresses. By coding the connection to the remote image (which is on their server) they can know which email addresses actually viewed the images. That’s not particularly harmful, but it suddenly makes your email address a lot more valuable to the spammers because they then know someone is on the other end.
Actually I touched on this in my original reply:
some spammers will attach “false” jpegs to an email and viewing these will allow the sender to extract some information from the receipient’s computer
Extracting your email address is one of the more benign effects from remote viewing, good spam control from your ISP should handle this. If the site is also logging IP addresses and some of the viewers haves static IPs…they had better have their security ducks in a row.
No apology necessary.
I am on a pc. Windows 2000. My browser is Internet Explorer and the e-mail program I use is Sympatico Mail.
I have HTML turned-off for outgoing messages but I still can’t seem to find any way to only read plain text.
Hey, I appreciate it.
You may use the term “false” jpeg differently than I do. To me, and many others, a false jpeg is a file that is not a jpeg at all, but rather code (perhaps executable) posing as a jpeg. I was referring to the practice of remote images, true jpegs, that simply use email-specific addressing to identify which email addresses view the images and which do not. These will show up as regular images if you allow viewing of remote images (because they are regular images!), but they give identifying information about you to the spammer in the way they are addressed.
If you view any remote jpg, there is no way (short of a proxy) that your isp would prevent a spammer from seeing your ip address, and if they are using coded links, then the two (your email address and ip address) would be linked to the spammer. That, in my opinion, is a much greater danger.
There’s really no hiding your ip address, it’s out there whenever you view a web page. In fact, because my avatar is hosted on my own site, every time any page here at textkit with one of my posts is viewed, I get a record in my log, and that includes the ip address of the computer doing the viewing. If I were so inclined, I could match times of postings with those in my logs and extract ip addresses for almost any regular user of the forum. Everyone can see your ip address, it becomes much more of a problem, though, when it’s paired with identifying information about you.