[Previous entry: "A Thanksgiving thought"] [Main Index] [Next entry: "On Bush and Britain again"]

11/27/2003 Archived Entry: "Email safety"

Officials in Los Angeles have called on computer makers to stop using the long-established terms "master" and "slave." This is common usage in the technical world when one device controls a connection and another responds, but I suspect some disk drives have filed a complaint with the Cultural Sensitivity Office saying they feel discriminated against. Sadly, some computer manufacturers are taking this foolishness seriously and looking for alternative, politically-correct labels. I suggest "politician" and "taxpayer."

Here we go again: there's a new computer virus making the rounds. Sysbug-A pretends to be a misdirected email carrying a sexual picture; of course, the picture is really a program that will infect your computer.

More and more virus writers are using this so-called "social engineering" to trick people into opening email attachments. Others try to trick you into visiting a web site and supplying credit card details or passwords. No amount of computer security can protect against this sort of attack; you need to be able to recognize them and avoid them. Here are some policies that have served us well.

* Never, never, never open an executable attachment, even if you know the sender. Most viruses are sent from someone you know. File names ending in .exe, .com, .scr, .bat., or .vbs -- to name a few -- are executable. .doc files can also carry viruses. .jpg and .gif are generally safe, if that's what they really are; but some virus emails contain files like blahblah.jpg.scr which looks like a .jpg but is really executable.

* On that note, use an email program that shows the full file name of an attachment. (I'll offer a few suggestions below.)

* Never, never, never use an email program that opens attachments automatically! I'm told Outlook offers this "feature." If you can't turn this off, get a new email program; this is the most dangerous feature an email program can have.

* Don't click on web page links embedded in an email. Often the link is not what it says! I've received emails which contain a link to www.paypal.com, which on inspection will really go to something like www.paypal-ripoff.com. Of course that web site has a convincing PayPal login screen to ask for your password and account info.

* Remember that banks, credit card companies, and PayPal never administer your account by email. If you suspect that PayPal is trying to contact you, sign into their website manually -- do not use the link in the email! -- and if they are trying to reach you, you'll receive a message there.

* If you must follow a link from an email, don't click on it. Cut and paste it into your browser...and look at it when you paste it, to see where it's taking you.

* Better still, use an email program that lets you read your email as plain ASCII text. Many of these exploits that are hidden in HTML become plainly visible in ASCII text. (As a bonus, an awful lot of spam emails don't render in ASCII text.) Sure, you give up the pretty HTML formatting, but is it worth the security risk?

* If you must use HTML email, use an email program (like Mozilla) that lets you disable images in the email. Just viewing the image in a spam email tells the spammer that you've read it, and who you are. So don't display those images! (As a bonus, it'll save bandwidth on your connection.) This is also a concern if you use web-based email like Hotmail or Yahoo.

* For similar reasons, disable scripting languages (like Javascript) in your email. While you're at it, disable VBS scripting entirely on your Windows machine. This will prevent at least one class of virus from executing on your computer.

* If you're using Microsoft Word, disable macros. Word macros can carry a destructive "payload" which executes as soon as you open the document. If in your work you need to receive Word documents from untrusted individuals, you might also want to open them first in an alternative word processor (like OpenOffice), to make sure they're legit.

* Use an email program that lets you block attachments over a certain size. I've noticed that the smallest viruses are about 39K long, so we have our email programs set to limit attachments to 38K. This doesn't mean you can't receive large attachments; it just requires that you explicitly confirm before the program will download them. (As a bonus, this protects us from the occasional cretin on a high-bandwidth connection who sends a megabyte-long image file. Yes, it happens.) One caveat here: make sure you have some way to remove the "ignored" attachments from your server. (Eudora can do this.)

* Use a virus scanner. A good one will also scan your incoming and outgoing email for viruses. For Windows, I've had good experience with the AVG Anti-Virus program which is a free download for home users. At that price, you can't afford not to use it.

* Use a spam filter. Either a trainable spam filter, or one whose spam signatures are regularly updated, will intercept many virus emails as well as spam emails.

Our good friends at Miller Microcomputer Services give this standard advice, first thing, to all of their Windows-based customers: get rid of Microsoft Internet Explorer and Outlook (or Outlook Express), and replace them with a web browser and email program that are secure. I concur: the security flaws in IE and Outlook are legion.

For web browsing I recommend Netscape, Mozilla (essentially the same as Netscape), or Opera -- all have very good security features. For email I can recommend the Netscape/Mozilla email program, or the superb Eudora. Opera also includes an email client, and I would expect it to be good, but I've never tried it. All of these browsers include features like pop-up blocking; all of these email programs include spam filtering. All are free; Eudora and Opera are "adware," containing an advertising window in the free versions. Both Mozilla and Opera have the advantage of being available for both Windows and Linux.

Powered By Greymatter