Security Block for HTML Email


2002-01-03
I finally got around to documenting a security block for HTML email if you are using Outlook Express. At least this is what I do on a basic Windows system(no special software). HTML email is the curse of the 20th century. The potential for malicious attacks using this type of email is tremendous. Even the most novice hacker can cripple your system. The abuse potential is so obvious even people not thinking of hacking(like myself) can easily come up with simple attacks.

Although this solution is documented for Microsoft Outlook Express V6 with Internet Explorer V5+ the principal is the same for all versions of Outlook and Explorer. The problem occurs on most email software that display HTML e-mail so don't point too many fingers. This does not stop viruses if you open e-mail attachments. It does stop the major security threat posed by HTML email. The email is still viewable, just secure against attacks(unless you open attachments).

Even if you are running the latest virus detection software you should perform the tasks below. The problem is these new viruses attack in hours so your software company does not have time to react. Old viruses usually spread by manually distributing software(that someone was willing to accept) giving a lot more time for companies to react. Virus protection software can give you a false sense of security. Don't get me wrong, they are needed and they do a great job. Unfortunately in today's environment they are too often like catching a thief several days after the event. Your "stuff" is probably gone or trashed already... hope you have backups. 

There is a security patch at Microsoft if you are using Outlook 2000. It requires Microsoft Office 2000 with SR1 patch. The disadvantage is it stops you from downloading ANY program... even ones you want.

The steps below should accomplish about the same thing... maybe more(you have control).

This will require you make adjustments in Outlook Express and Internet Explorer. Even if you use another browser the settings must be changed in Internet Explorer.

  1. I recommend this step but it is not required. Disable the preview pane. In Outlook select "View" then "Layout" from list. Make sure "Show preview pane" is NOT checked. Click "OK". Now you can trash those questionable email without ever looking at them. Requires you double click to view email.
  2. In Outlook select "Tools" menu item, then click "Options" from list. Select the "Security" tab.
  3. Under "Virus Protection" area ensure "Restricted Site Zone(more secure)" is checked. Also ensure "warn me when other applications try to send email as me" is checked. If you check the last option you will not be able to download programs attached to email... even if you want the program. Click "OK" button.
  4. In Internet Explorer select "Tools" menu item, the click "Internet Options". Select the "Security" tab.
  5. Select "Restricted Sites" icon then click "Custom level".
  6. Now go through this list and make sure that every option is disabled, set to Highest security,  or at least prompts you. I set it so everything is disabled.  Make sure nothing is "enabled"!
  7. Click "OK"
  8. Your done. You can see your HTML email and know as long as you don't open attachments you will not get a virus from email.

Four Email Rules of Protection

  1. Never open ANY attachment unless you need it. In which case you asked for it. Friends are your number one source of viruses. They usually don't even know they attacked you. Worse yet, you probably don't know you are being attacked unless you have constantly updated virus software or have already done above steps. Even with virus software the new strains of viruses spread in hours so your virus software doesn't have a chance to keep up. 
  2. Turn off "Preview Mode". You will have a chance to kill the email before an attack can be attempted. Don't be fooled by "Preview", you are viewing the email, just in a different window.  With this turned on the HTML email is displayed when you select it and the virus attack happens immediately with no chance to delete the email first. Your email software may not have this feature.
  3. If in doubt press "Cancel". If you are prompted to "Open" or "Save" anything when you are just viewing an email always "Cancel". Do not choose open or save... 99.99% virus. You probably want to delete the email. The only time you should see the "Open" prompt in Outlook when viewing email is when you choose to open an attachment.  If you get prompts you do not expect and are unsure what to do always err on the side of caution and choose "Cancel" instead of continuing.
  4. Do Not Open Attachments

I am getting lot's of attacks of this type, none have gotten through my new settings. I also filter many messages but most of these HTML viruses look like they came from a friend so filters don't work.

Now remember, you are still going to get variations of this HTML virus crap but you now have a defense that blocks all of them in email. Just don't open the attachment.

Now go to any place that scans you computer for viruses to make sure you currently have no viruses. I suggest http://antivirus.com/ ... they work for me and they are FREE!

Hope it helps. As a final note.... Don't open email attachments!