"Do not open emails from unknown senders" - how is this advice even remotely sane?

For example:

“Do not open emails from unknown senders.”
[PDF] “Do not open emails from un-trusted sources or suspicious emails from trusted sources.”
“5. Do not open emails from addresses you do not recognise.”
“3. Do not open emails from people you do not know and are not expecting”

I for one consider this advice totally nonsensical because it is impractical. Both in my work and in my private capacity I receive a lot of e-mail messages from senders who I do not recognize, and which are entirely legitimate and necessary for me to read.

For example:

  • queries to X being forwarded to and replied to by Y (unknown to me until then), even sometimes at another company
  • mail from customers, new leads, complainants using published contact information (this applies in both my work and my personal capacity)
  • mail from online shops under the name of the owning corporation
  • mail from people whose e-mail name is set up so I do not connect it to their name at first
  • mail from people who have changed their last name
  • mail from people whose name I do not recollect because I last did business with them years ago

etc. etc.

So, why is this advice often given in security advice which is not, overall, gibberingly insane?

They’re covering their asses, as it’s not practical advice. Do you feel better getting this conformation?

Legitimate email usually has a title that gives a hint as to whether the email is ‘safe’. Email addresses give further clues.

Any email from people not on my approved senders list goes into the Suspect email folder. (They get an automated reply asking them to fill out a form to be added.) If I know someone named John Jones, and I get an email that says ‘Hi’ in the Subject, I wonder if I know John Jones. If I don’t, it gets marked as spam. When the confirmation page comes up, I can see the address. If it has a foreign domain, then I know it’s spam. If I do know a John Jones, then I wonder why the subject is ‘Hi’ instead of something more descriptive. Maybe I’ll open it, and maybe I won’t. It depends on what the email address is.

You don’t know John Jones? But you get an email from him saying ‘Problem with your product’? Probably from one of your customers. Determining which emails are ‘legitimate and necessary’ is part of your job, and part of your security measures for your home computer.

Who cares, though? Lots of viruses are sent by people I know, and there’s nothing about email itself from strangers that’s inherently unsafe. And many businesses get thousands of e-mails a day, they can’t evaluate subject lines one by one (and the spammers are getting good at faking legitimate subjects, anyway.) The original advice has oversimplified the real advice to the point of uselessness.

What the advice should say is:

  1. Do not open email ATTACHMENTS from unknown senders, or any unexpected attachment, until you’ve confirmed it was intentionally sent and scans free of malware.

That won’t stop HTML-based attacks, but most HTML-based attacks are rarely significantly damaging (usually just address harvesting and popups). They can be eliminated by not allowing your email client to display HTML. (Which many businesses do, but most home users aren’t willing to give up pictures and such in e-mail for that level of security.)

And of course, keeping your mail client, OS, and virus checker up to date will take care of a lot of this, too.

I usually ignore email from Nigeria. It’s remotely possible that my long-lost cousin fell off a boat near the African coast, swam to shore, found an Internet cafe, and desperately needs my help, but that’s the chance I take.

Heh, I emailed myself from London complaining that I had been mugged and could I send myself money to get home … I have 3 email accounts that I normally use - 1 is generic spam catching one i use to put on websites that need an email address, 1 for business and general contact, and 1 that only goes to friends. My spam account emailed my general account =)

I use pine running on a Linux machine to read email. So it can come to my PC only if I allow it after looking at it. Attachments are a nuisance (have to save it to the Linux box and ftp it from there), but I have never caught a virus. After I look at an email, I decide. Generally, I will not even look if there is no From or if it is from someone I don’t know and the subject line doesn’t look serious. “Paper to referee” is a good way of getting me to look even if the sender is not known to me.

As I recall, not all that long ago MS Outlook used to open attachments by default – which meant that opening / reading the email was effectively the same as deliberately opening the attachment. (This is fortunately no longer the case).

A virus that got into the company where I was working (an IT company more the shame) immediately did the rounds of all the managers’ PCs – the people using Outlook – and caused chaos, while having no effect on the many Linux users, or yours truly who used Thunderbird at the time and had adamantly refused to “upgrade” to Outlook.

I wonder if perhaps some of this advice to not read untrusted emails dates to this dark period of Outlook history. :slight_smile:

You didn’t fall for yourself, didya?

Nope, though I was wisting to actually be in London … or Amsterdam … it was a cold rainy nasty day and I wanted to be anywhere but Connecticut!

I use a program called “Magic Mail Monitor”, which scans my various email addresses and displays their headers (sender, subject, etc) in list format. I can delete incoming messages straight from there, open/read them in raw format using Notepad, or if I see something I need to really read, save, or reply to I can open my copy of Outlook and read it “for real”.

The main thing being that as far as I know nobody has ever successfully managed to build a virus which works under Notepad.

I don’t know about Outlook, but if you use webmail, just use noscript for firefox and tell the webmail service to not show images unless you request them. That’s how I have my yahoo mail account set up.

Spammers use photos in http email to tell that you’ve opened a letter. So every time you open a piece of spam, you’re telling them that they have a valid email address and you were interested in whatever the subject line was.

I’m not a security expert, but I think most infections are the result of malicious javascript either in the email itself or a link in the email. The latter had mainly been my experience. Most hackers don’t seem willing to put the virus right in the email or an attachment. They want to lure you to a site that has the malicious code. That lets them keep up with any updates to anti-malware software much more easily and lets them subcontract out the actual sending of emails to other parties or botnets that they control.