Would you open Email attachments?

The old wisdom was to avoid opening Email attachments to prevent viruses and worms. Being that some “surprises” now come without opening any attachment, would a rule that one opens only specific file types (.doc, .jpg) a better strategy?

The best rule is to use an email client that is incapable of displaying attachments or processing HTML email.
Set things up so that you can manually save attachments from email to your system and choose to execute, edit or view them only if you explicitly choose to save and then open them.
Make certain that you scan the files and verify that their transmission from the trusted sender was voluntary. If you can’t verify this, store them until you can be certain you do or do not wish to open them.
The free web-based email at www.hushmail.com can meet my above criteria quite easily. If you get infected after using them, it IS your fault, not Billy G’s.

Why? Just because there are things that can affect you without opening attachments, why is it a good idea to drop the other forms of security.

The best rule is to paraphrase the advice given to lawyers: “Never open an attachment unless you know what it is.” And I do mean “know” – it should be something you are expecting to receive, or something from a friend that references something specific that you and the friend both know about (i.e., not “this is great! Click on it!” but rather “Here are Terry’s wedding phontos.”)

BTW, .doc files can contain viruses; they were a major vector prior to the development of e-mail viruses.

My rule is not to open anything I don’t recognize.

Basing a rule on the file type of its attachment is dangerous; this can be spoofed with multiple extensions or invalid characters in the filename. (It once held that you could attach “file.jpg.scr” to an E-Mail whose recipient would only see “file.jpg” because the secondary extension was ignored, thus feeling confident in opening up the “picture.” This doesn’t really apply any more as client developers have since wised up)

I also do not use Outlook. I use Pegasus Mail for Windows, and have been for years. It has plenty of safeguards against potential intrusions (such as disallowing the display of images in E-Mails unless explicitly told to do so - and even then it warns you of the potential hazards).

However, there are ways to safeguard yourself:

  1. Sign up with an E-Mail forwarder that uses a challenge-response type of authentication system, then direct everyone to use that E-Mail address for all correspondance. This will be a little inconvenient for them at first as it will require them to go to the forwarder’s website and verify that they are, in fact, human by entering a verification code given to them on that page. Thereafter their E-Mails are validated and forwarded to you without delay. Unsolicited, automated E-Mails however will not be able to meet the challenge (answer the verification code) and therefore will not be forwarded to you, so it is safe to use this E-Mail address in public.

  2. The above method does not work if you are signing up for online services or message boards however. In these cases, using a service like Spam Gourmet come in handy. Spam Gourmet allows you to create a temporary, disposable E-Mail address that will be active for X number of messages within X number of days, and thereafter will deactivated. Any further messages sent to that address will be consumed and discarded by Spam Gourmet. This is useful for signing up with sites and services that require you to validate your application but don’t want any further messages from them or any “partner” sites they may be affilliated with.

But what exactly is a “trusted” friend? Even savvy PC users can unintentionally forward a virus to someone else, through momentary inattention or a similar belief that another “trusted” friend’s e-mail isn’t infected. In the final analysis, your protocol requires a leap of faith in the sender’s knowledge base and screening procedures. In the computing world, “trust” is irrelevant and has no meaning.

As the recent WMF exploit shows, extensions don’t mean squat on WinXP systems. It can be a bad WMF file with a jpg extension and WinXP will still open it as a WMF file by looking at the header.

Until ISPs did the latest round of security upgrades, I was using Eudora v.3, which did not display graphics. Now I’m using Eudora v.6, which does. :sigh: I’ve got it set not to automatically download/display the graphics, but I haven’t been using it long enough to be sure just how well it does.

I use MailWasher, which allows me to inspect email while it’s still on the server. I can then bounce spam from the server. It is a far more definitive solution than any anti-spam modules in software, as the user identifies his/her own incoming email, eliminating the possibility of “false positives”. Checking an email to bounce automatically adds that address to a list which will then identify any further messages coming from that source. It also has a “friends” list, which will automatically mark email from known “good” sources. It takes a final click to process the bounce & delete on the spam, etc.

Norton Anti-Virus (and probably every other good AV program) scans all incoming email, as well as downloads, unless you don’t have it running in the background. These precautions have thus far been successful in protecting me from accidental infestation coming from friends for more than three years now. I was caught napping in the summer of 2002. That gave me a properly paranoid mindset, which was recently reinforced by the discovery that I’d been harboring a version of kakworm in one of my old Eudora folders. Since I “never have; never would” use any version of Outlook, it mangled some of my Eudora files, and just hibernated there (gone now).

I don’t even allow Yahoo to display graphics in my messages there, except on a case-by-case basis.

If there is a solution that is either foolproof or permanent, I don’t know it. You just use a paranoid frame of mind, as much as you can, and use every tool you can get that helps, even a little.

I don’t do such extensive safeguards, but I have noticed over the past several months that I won’t open attachments even when they’re “sent” by members of my family. Only work attachments. I’ve even been known to email my family member back asking if they actually sent that email.