Safe Email Viewing

When you take a cake out of the oven, you use a pot holder; when you drive, you put on your seat belt; and you even get a flu shot every year. But are you that careful when you read your email? Here are the basic principles of safe email viewing, along with the essential principle for being safe when you're connected to the Internet.

Norton Antivirus is owned by Symantec and has been renamed Symantec Antivirus. By one name or the other, it's free to the entire UIC community. You can put it on all of your computers, and it works. It even finds viruses and worms that have been renamed to .txt files on the server by MIMEdefang. Once you get NAV/SAV going, your only vulnerability is the first day or two after a virus is released, until Symantec develops and releases a definition file including the new virus, and then until you download and install the definition file.

I'm sure this sounds sensible, but most email programs make it very difficult to accomplish. There are two ways that they conspire against you:

• preview panes
• automatically opening email

Both Eudora and Outlook come with a "preview pane" turned on by default. It helpfully opens the first - and next - email message for you, whether you want to see it or not.

In Eudora, the primary problem is that the preview pane can be unstable and cause Eudora to crash, and there is the further problem that the default viewer for the preview pane is an embedded Microsoft Internet Explorer, which can also be exploited.

In Outlook, previewing messages is downright dangerous. I don't know whether it's because Outlook is that much worse than any other email program or if it's just because it is so widely used that an Outlook worm can have a major effect. Either way, Outlook is the primary target of email viruses and worms, and just opening a message in Outlook can be enough to set them loose.

Most email programs allow you to go directly from viewing one email message to viewing the next. That's not quite as dangerous as using a preview function, particularly if you've gone through the mailbox's index and deleted all the spam and suspicious email before you start reading the rest of your email. But new email can come in that you haven't checked out and you could get burned.

Yes, yes, I know, you're tired of hearing everyone saying this, but one major email virus or worm after another proves that people aren't listening.

There are two parts to this.

(1) Prepare your computer:

You run Norton or Symantec Antivirus, so you don't have to worry, right?

Well, sort of.

You are prepared if you have NAV/SAV's LiveUpdate scheduled to run automatically, on a regular basis, say once a week, at a time when your computer is turned on and connected to the Internet. If your computer is not connected to the Internet on a regular schedule, set an alarm to remind you to run it yourself once a week. (Wednesday afternoon or later is a good time; that's when Symantec releases regular updates.)

Even if you do run LiveUpdate regularly, you're not safe just after a new email virus or worm gets loose. Whenever you hear about a new one, it's a good idea to run LiveUpdate by hand once or twice a day until you download a new definition file, and maybe again the next day too, just in case there was a problem with the first definition file for the virus or worm.

(2) Prepare yourself:

This part is called social engineering and is the major reason why poorly designed worms and viruses -- and most of them are poorly designed -- can be so successful time after time after time. Never, ever, open an email attachment unless you've asked the person who sent it to you whether he or she meant to send it to you. Don't trust any sender. Don't blame them, either, if you get burned; these days it's not likely that the From: address has anything to do with the actual sender of the virus or worm.

Another essential precaution is to know what type of file you're opening. To do this in Windows, you have to turn on file extension viewing in Windows Explorer: open Windows Explorer, select Tools -> Folder Options -> View, uncheck Hide file extensions for known file types, click the Reset all Folders button, and click OK. Then if you're about to click on an .exe file, you'll know it. (Point your mouse at an attachment icon in Eudora, and the attachment's full filename, including directory, will be displayed in the status bar at the bottom of the Eudora window.) Remember that Mimedefang adds .txt to the end of the filenames of all suspect filetypes, so look at their second extension also.

To make it less likely that you will accidentally execute a malicious attachment, the ACCC runs all incoming email through MIMEdefang. MIMEdefang has a list of attachment types that can cause problems (it's in the MIMEdefang FAQ). Each time an email message comes in addressed to an ACCC email mailbox with one of these types of attachments, MIMEdefang adds .txt to the end of the attachment's name. Windows will not automatically execute a .txt file, nor will it run if you accidentally (or on purpose) double-click it.

Are you sure this attachment is one that you want to use? The MIMEdefang FAQ has instructions on how to rename it back.

Note that Word and Excel files are not "MIMEdefanged." They can carry macro viruses, so it's up to you to be careful about them.

You know those gigantic pictures that you get in spam email messages? Turning them off will save you from seeing the content of many spam messages even if you do accidentally open them. And it takes a lot less time to download these messages without the images; if you have a slow Internet connection, you will really appreciate the time and aggravation it saves you. And just think -- no more disgusting pictures to look at!

Spam and wasted time aside, there are other types of HTML images in email messages, often ones that you can't see, that could be compromising your privacy -- Web bugs. (Bugs as in hidden listening devices.) Web bugs are usually 1 pixel by 1 pixel in size and therefore you generally wouldn't see them. They are used to collect data about the person reading the email or, when they're on a Web page, the person or machine visiting the site. If you don't download HTML images, you won't download Web bugs. It's as simple as that.

Note that sending HTML images is not the same as sending HTML-formatted messages. Go ahead and do that if you feel you must. (Please don't send them to me, though; I prefer using my own fonts.) If you do feel the need to send HTML-formatted email, include a second copy in plain text also, for those people whose email programs can't handle HTML. They would probably rather get two copies -- one in HTML and one plain text -- than try to extract the email message's content from its HTML tags.

The important part this to protect when doing email is your password, which you only use when reading your email, so you need the SSL connection only when reading your mail. Note that "mail transfers," either sending or receiving, are not high-security in any case. Having an SSL connection for mail transfers to or from your personal computer doesn't help a whole lot, because the mail will be transferred unencrypted from mail server to mail server, and will sit on your hard disk unencrypted. So either don't worry about it (for most mail), or encrypt the mail yourself using PGP, GPG, or some other public-key program before you send it.

See Turning on SSL in Eudora for instructions.

Aside from social engineering -- which is the most important ingredient -- safe email viewing in Eudora is mostly a matter of setting a few options. Do this by selecting Tools, then Options, then the following Categories.

Display (Windows) and Fonts and Display (Macs):

Windows: Uncheck: Automatically download HTML graphics
Macs: Uncheck: Display graphics in messages
and Automatically download HTML graphics

(If you receive a message that you want to see the graphics in, say an advertisement from a store that you like to shop at, use File -> Send to Browser. On Windows, you can open the message, right-click in the message body, and select Send to Browser from the Context menu.)

Viewing Mail (Windows only) :

Message Window box:

Uncheck Use Microsoft's viewer (This is important.)

Preview Pane box:

Uncheck: Show message preview pane
Uncheck: Automatically open next message (Note: You don't have to uncheck this if (1) you use antispam filtering and (2) you're careful about checking each mailbox's index list and delete all suspicious email messages before you begin reading them.)
Uncheck: Allow executables in HTML content

Mailbox Display (Mac only):

Uncheck Show message previews by default

Extra Warnings (Windows only):

Warn me when I:

Check: Launch a program from a message
Check: Launch a program externally

Miscellaneous (Windows) and Timeouts (Macs):

Windows: Uncheck: Say OK to alerts after xx Second(s)
Macs: leave the box by Alerts: blank; no timeout for Alerts

You can use SSL with the mail.uic.edu incoming email server; see Using mail.uic.edu for Your Incoming Email Server and Turning SSL On.

In Windows Eudora:

If you only have one "Persona" (account), then use Tools -> Options -> Checking Mail, then select Required Alternate Port from the dropdown list in the Secure Sockets When Receiving box on the right, then click OK.

If you have more than one Persona, then click the Persona tag (the two head icon, in the pane with the Mailboxes tab), right-click on the Persona for which you want to use SSL, click Properties, the Incoming Mail tab, and again select Secure Sockets When Receiving.

It would be nice if the Last SSL Info button would tell you whether SSL was turned on, but it doesn't. You can tell by clicking on the spinning ying-yang when your email is being downloaded. This opens the Task Status window showing the progress of the download and it'll say SSL while the mail is downloading. (Look fast!)

In Mac Eudora:

SSL is supported for Mac OS 8/9 and for Mac OS 10.2 and higher. Special -> Settings, then double click the SSL icon (it's pretty far down). Depending on whether you're using POP or IMAP, select Required (Alternate Port) from the dropdown lists for SSL for POP: or SSL for IMAP:. Leave the default Maximum Compatibility selected. Click OK when you're finished.

If you have multiple personalities, open the Personalities window: Window -> Personalities, click on the name of the Personality you want to work with, and then click the edit personality icon at the bottom of the window. It's the last of the four icons, with the personality icon -- two heads -- with a piece of paper and a pencil behind it. There's an SSL icon in the Personality's Settings. Click OK when you're finished.

See Safe Email Viewing in Outlook for brief information on keeping safe when using Outlook for email.