In my last post I mentioned that “Web-based email readers and email reader applications such as Outlook offer additional controls, including viewing the source of an email message prior to actually opening it.” That got one reader’s attention, who asked: “What controls are you talking about?”
Ok, so ‘controls’ might not be the term somebody working at Microsoft would use. They’d probably call them features, or options. I call them controls because they allow you to control how you view email, even how you view email before you open it. Here are some of those controls…
In applications such as Outlook Express, the Viewing Pane comes enabled. It really is nothing but a pain, and it’s dangerous. Disable it! The view pane allows you to simultaneously view email subject lines and email message content in a split-frame screen. When you highlight (single-click) an email’s subject line in the upper frame, the email message is automatically rendered in the bottom frame. If the message is rendered as HTML, there is the possibility of launching malware attachments.
In Outlook Express you can view the source of the message w/o opening it. Simply right-click the email subject line, select Properties, click on the Details Tab, then click on Message Source. An additional window will open allowing you to see the raw text of the message, including nefarious HTML coding. This control/feature/option is my personal favorite. All email applications should offer such a thing!
There are options in email that allow you to render the message as text, regardless of how the sender sends the message to you. These settings are usually found in the Preferences or Options settings of the email reader application. I wholeheartedly recommend this particular setting. Even web-based email applications allow to view mail as text-only. Everybody should use it.
Strip all attachments. Surf naked! Heh, heh, I just really wanted to say that. Seriously though, there are options that allow you to strip attachments that are potentially unsafe. The attachments are stripped prior to rendering the email. Images are kept on the side. Make sure this control always is, and always stays, enabled.
Some time ago I wrote a SecurityFocus article on some of the dangers of HTML email. My advice in the article still applies today, although thankfully MS has since made Outlook and OE more secure by disabling most of the ‘automatic’ features that malware tries to take advantage of.