· Email Privacy
· Privacy Tips
   · Passwords
   · Email Attachments
   · HTML Email
   · File Extensions
   · Preview Pane
   · Disable JavaScript
   · Offline Mail Reading
   · Trojan Tips
· FAQ
· Test Your Email
· Remailers List
· Useful Software
· Useful Links
· Tell a Friend

· Public Web Proxies
· Stay Invisible

	Link Exchange

Email Attachments

An attachment is a document or file that is attached to an email message. It can be a program, an image, a document or anything else. Attachments to email were an invention which very quickly proved to be a source of a lot more problems than the solution it had promised to be. The main problems originate in the security area.

Most computer viruses spreading through the internet travel via Email Attachments. When opened, those attachments can give hackers the complete control of your machine, or initiate an attack on another machine, or start sending out copies of itself to email addresses found on your hard drive or all of the above. Malevolent software of this type has ruined personal machines, email servers, and networks everywhere on the Internet for many times - and will do it again.
The vast majority of people who spread viruses are under the impression that their own system is "clean" - they spread the viruses without realizing it. For this reason, a large number of self-respecting individuals who are represented in the Internet avoid opening attachments. In fact, it has become very common to see statements on the websites of most offices, major organizations and corporate entities in the Internet such as "We do not accept Email Attachments - please don't send them!"

Here are simple guidelines which, if followed, will impressively reduce the chances that you will be infected with a virus sent through an email attachment.

Email Security Guidelines

General rules:

Be suspicious about any attachment you were not expecting - even though it's from someone you know.
Be in double measure suspicious of attachments that have been forwarded to you - even by someone you know.
Be paranoid about attachments from anyone you don't know.

Some examples:

A reasonable sounding message makes an urgent offer to scan your computer for the latest worm in the news. When you open the attachment, the first thing it actually does is disable your antivirus program and firewall. Then it installs the worm it claimed to be scanning for. Finally, it reports that your computer is free of the worm. Now the worm uses your computer to send the same bogus message to more victims.
Your friend emails you a cute attachment with the file name "kitty.exe". In their message, they tell you they've tried it themselves, it's really cute, and it's "OK to open". You check with your friend, and yes indeed, he or she did send it, and they assure you "it doesn't have a virus." The trouble is, it contains a delayed action Trojan-horse along with the cute kitty. When you open it, the kitty does something cute, but the Trojan is also installed on your computer. You and your friend will not find out about the Trojan until later, if ever.
An email arrives that appears to come from Microsoft. The Microsoft heading and icons are genuine. The message contains a sincere and urgent plea for you to patch your copy of Windows immediately. The file to install the patch with is conveniently attached. The trouble is, when you open the attachment, it terminates your antivirus program and firewall, and then does other things so that you can't remove it. Next, it asks you to enter your email username and password. Guess what the perpetrator does with this information after you click "Submit". Microsoft provides a guideline for determining if a message "from" them is genuine.
Attackers often disguise malicious attachments by using double extensions, for example, "message.txt.lnk" or "picture.gif.vbe". Unless you've changed your Windows configuration though, *.lnk, *.vbe and several other extensions are always hidden. The file names that you see are just "message.txt" or "picture.gif". Those files - *.txt and *.gif files - seem safe enough. Windows knows they are *.lnk or *.vbe files though, not text or picture files at all. When you "open" them though, Windows blindly does exactly what the attacker had in mind, and the damage is done.

Receiving Email with Attachments

Unexpected email attachments
Never open unsolicited or unexpected email attachments until you've confirmed the sender actually meant to send them.
Never double click
Never double click on attachments while in Explorer or in your email client until they have been tested. There may be a hidden file extension or CLSID (class ID extension). Such attachments should first be saved to some test or download folder and tested by invoking their associated application and then using the "Open" function of that application. (for example, sound files like MP3 and WAV can be tested by invoking your player and TXT files should also be opened by first invoking Notepad).
Unsafe file types
Never open any email attachment with any of the following file extensions:
.bat
.com
.exe
.vbs
Unknown file types
Never open any email attachment or internal email link with a file-type extension you do not recognize.
Microsoft file types
Never open any email attachment or internal email link with a recognized Microsoft document type (e.g., .doc, .xls, .ppt) even from someone you know and trust without first running an updated virus scan program on it.
Ask for plain text
If you receive a .doc, .wpd, .xls or or other unsafe file type as an attachment, even from someone you know, ask them if they will convert it to .rtf, .txt or .cvs and then resend it to you. Then delete the original email and attachment.
Delete attachments
Make sure to configure your email client so that it always deletes email attachments when you delete the email it came with. Also, make sure that if mail attachments are automatically moved to a "trash" folder when the email is deleted, that the folder is "emptied" each time you quit the program. Otherwise, dangerous files may be left stored indefinitely in your email attachments directory or and/or your trash directory.
Disable mail "executables"
In Eudora, under Tools / Options / Viewing Mail, make sure to disable (unclick) "Allow executables in HTML content".
Disable automatically download attachments
Be sure your email program doesn't automatically download attachments. This will ensure that you can examine and scan attachments before they run.

Sending Email with Attachments

Avoid sending attachments if the same information can be sent as a plain text or RTF.
Rather than sending a .doc file as an attachment, it's often best to cut and paste the .doc content into your email as text.
You can also convert .xls files to .csv (comma-delimited format) before sending, thus minimizing the risk of spreadsheet macro and script viruses.
Only if it is essential to retain document formatting, embedded objects, etc., should you or your correspondents send unsafe file types - and then only if you have recently run an updated virus scanning program that includes protection from macro viruses.