Worst practices for e-mail

If you want to wreck your computer with a virus and put your neighbors’ computers at serious risk, there’s a really easy way to do it. Just be really cavalier with your e-mail habits. Approach e-mail with reckless abandon, and you’ll quickly receive your just reward.
But if you like having a computer that works well, and you kind of like your neighbors, there are things you can do to minimize your risk. If, on the other hand, you want to leave your mark on the world in a negative way, do the opposite of the things I suggest here.

1. Acquire good anti-virus software and keep it up to date. I’ve been configuring Norton AntiVirus to update itself every day. It’s excessive, but since it’s impossible to guess when the next big thing will come out, and it might hit you before you know about it, it’s the only safe way. Update every day, and keep autoprotect on, so that files are scanned as they’re created. That way, if you get a virus, it won’t get far. I also set NAV to scan the entire computer–all files, not just executable files–at least once a week.

While sweeping the network at work, I found copies of Nimda, but I also found old friends like SirCam, Happy99, PrettyPark, and Kak. Obviously people were aborting the scheduled updates and scans.

2. If you do get infected, don’t count on your antivirus package to completely clean up the mess. Visit www.sarc.com or www.antivirus.com/vinfo/virusencyclo to download a specialized removal tool for the virus your antivirus package caught. Run it to remove any residual damage your antivirus package may have missed.

3. Don’t take e-mail attachments from strangers. I take an even stronger stance than that. Frankly, when someone sends me e-mail with an attachment, the first thing I do is delete the message. I don’t even open it. I don’t care if I’ve known the guy who sent it for 10 years. Some attachments can execute without you even opening the message, so the only safe thing to do is delete it.

The only exception I make is when someone e-mails me and tells me something’s coming. Sure, I’ll look at my friend’s resume, as long as he lets me know ahead of time that it’s coming and I should look for it.

Yes, I miss some good jokes and fun games that way. But you know what? I’d rather be accused of having no sense of humor than to have to rebuild my computer. I don’t have time to rebuild my computer. I’m already too busy rebuilding the computers that belong to people who open each and every e-mail attachment they get.

The virus of the week is W32.Vote.A, which masquerades as a chance to vote for peace or war between the United States and the Middle East. It doesn’t actually let you vote; it e-mails itself to your contacts and deletes files off your drive.

4. Don’t be the first on your block with the newest Microsoft software. Microsoft continues to refuse to take security seriously. No one in his right mind should be running Internet Explorer and Outlook Express 6.0 right now. Every single dot-oh release from Microsoft in recent memory has been an atrocity. Get Internet Explorer 5.5SP2 and stick with it. It’s fast, it’s as stable as anything Microsoft has written, and all the known holes that viruses exploit have been patched. Is the same true for 6.0? Who knows?

5. Don’t use a Microsoft e-mail client if you can help it. Microsoft’s the biggest kid on the block, so their mail clients are the most frequent targets. They also have more security holes in them than a vacant building in East St. Louis. There are a number of competent alternatives out there, including Pegasus, Netscape Messenger, and Qualcomm Eudora. (Just watch out for Euroda’s spyware–run Ad-Aware from www.lavasoftusa.com after you install Eudora.)

6. If you must use a Microsoft e-mail client, turn off the preview pane. Also, go to the client’s security options and put it in the Restricted Sites zone. That way when some idiot forwards you a message with hostile ActiveX code in it to automatically execute an attachment that e-mails itself to everyone in your inbox and address book and then low-level formats your hard drive, you won’t be affected. There is absolutely no legitimate reason for HTML e-mail to contain any ActiveX, Java, or JavaScript.

7. Don’t run any Microsoft software if you can help it. A Mac doesn’t count–the most popular Mac application is (drum roll please) Microsoft Office. Besides, there are plenty of Mac viruses out there to get you too. I’m writing this on a cheap PC running Linux. I use a tiny, lightning-fast mail client called Sylpheed. It takes up 733K on my hard drive. Outrageous, isn’t it? I use a tiny, lightning-fast Web browser called Dillo. It’s secure as a rock because it doesn’t do Java, JavaScript, or ActiveX. It renders pages instantly. It’s 240K in size. They’re both in alpha testing, but they crash less for me than Internet Explorer 5.5 and Outlook 2000SP2. And don’t be fooled by the tiny size: I compiled them for speed, not size. If I’d used size optimizations they’d be a lot smaller.

8. Don’t run your Web site on IIS. Even the Gartner Group is recommending everyone abandon IIS ASAP. It’s impossible to keep up with the patches well enough to prevent outbreaks like Nimda. Nimda knows about 16(!) security holes in IIS that it can exploit in order to send itself to people who visit your Web page. Yes, people try to hack Apache. Of course they do–70% of the Web uses it. But I hear of one Apache vulnerability a year. That compares to one IIS vulnerability a week. It is fiscally and socially irresponsible to bank your business on such an insecure, poorly written piece of software. (This site runs on Apache, and its only downtime in five months has been from a power failure. Zero crashes, no having to take it down to apply a patch. My system uptime reads 112 days.)

2 thoughts on “Worst practices for e-mail

  • September 25, 2001 at 5:31 am
    Permalink

    Dave,

    As always you hit the nail right on the head. I just expected one of your advices to seriously consider Linux as a viable alternative to Windows!

    I also got an experimental webserver up and running and it is incredible to see how fast my Apache logfiles fill up with garbage from Nimda and Code Red. Code Red is still extremely active judging from my logfiles.

    If you check out the following page: http://www.netcraft.co.uk/survey/ you will see in the table showing % of vulnerable Microsoft-IIS SSL sites, There is still an astounding 12.8% of the servers that have root.exe installed. It is almost incredible considering how much coverage we get on IIS viruses that we still have administrators out there that are not patching their servers.
    I would also like to point out a small contradiction in your writing. On e-mail you wrote: "Microsoft’s the biggest kid on the block, so their mail clients are the most frequent targets." On Apache you wrote: "Yes, people try to hack Apache. Of course they do–70% of the Web uses it.".

    If your first statement was true then Apache would be a major security risk. I am tired of hearing the argument from (mostly MS people) that they are subject to hacks because they are the biggest and most visible. I am sure that the real reason is not because of that but because Microsoft makes software that is easy to hack. You said it yourself: "Microsoft continues to refuse to take security seriously."

    I downloaded Netscape 6.1 to run on my Windows machine and I am actually using it now for 98% of my browsing (yes, it actually is very good!). I am currently looking at the Netscape mailer but I had some problems importing mail. On my Linux machine I am experimenting with all different mail and webbrowsers! Quality is growing by the day….

    Keep up the good work.

    Dave T.

  • September 25, 2001 at 2:47 pm
    Permalink

    I should have clarified. In the Web space, yes, Apache is the biggest kid on the block. In the e-mail space, Microsoft is the biggest kid. Yes, Apache is the target of attacks. However, unlike IIS, Apache holds up under attack well. There are no known vulnerabilities in the current version of Apache. There’s a difference between being a target and having vulnerabilities. (See how Microsoft plays with words?)

    I did kind of come out and say you should consider Linux on the desktop, but I guess I didn’t explicitly say it. So I’ll say it now: Consider Linux on the desktop.

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux