Scripting in e-mail: Why you should disable it.

Topic

New Reply

Hi
I don’t want to hijack your thread, but sensible e-mailing suggests that you disable HTML, do not open (or, for that matter, send) attachments, get yourself a freebie e-mail scanner such as VCatch and a 2-way firewall (free again) such as Zone Alarm.
If you’re going to protect yourself, do it right…

Reply | Quote

Replies

I’d agree with getting a mail scanner and firewall, but disabling HTML and not opening attachments is going to make reading the bulk of e-mails difficult if not impossible.

I have to agree with Woody in today’s office watch that it is totally unrealistic to expect business users not to open attachments. Only yesterday I sent 15 attached Word documents to my publishers, who rang me to say they wouldn’t be able to download them because they’d been infected with the Kournikova worm

The main lesson (again) is to be cautious of what you are opening. IDG research last week reported that 30% of e-mail users would open an attachment named “I Love You”. I had one customer who had me clean his system of the Navidad virus only to ring me the following day to say he’d clicked on a Navidad.exe attachment again. Over the next week he managed to reinfect himself four time! I doubt that some will users will ever learn. See http://www.theregister.co.uk/content/8/16668.html for more about the IDG story.

Disabling the scripting in e-mail is more of a precaution. There have been no reports of the “wiretapping bug” being used. But scripting in e-mail could have been used by the author of the Anna worm and the victims wouldn’t have to click on the attachment to be infected.

Reply | Quote

..and I have to agree with you : it is totally unrealistic to expect business users not to try to open attachments – so don’t send ’em.

1. Corporate network firewalls often trash ’em. I needed important updates from a commercial secure dialling firm. They tried to send me them via e-mail attachments. Our firewall made them impossible to execute. It may be that *.exe files and the like are automatically disabled.

2. I have HTML permanently disabled, and get my e-mails text only. That way no inimical script gets on to my system. I haven’t noticed any difficulty with reading them.

3. If you get dozens of e-mails a day, even one attachment of 1Mb is a real bind to wait for. I once had a spammer send me three, each identical and each of 5Mb. My usual sig has a tag which says : ‘if this e-mail has an attachment, it isn’t mine’. That way your correspondents are protected, though as one pointed out, the message would be more fitting at the start of the post. Regulars soon get used to your requirements. No one I know cyberwise ever sends me attachments.

4. There’s a much better, safer and more courteous way to send people large(ish) files : use On-Line Storage. That way you only download what you know about and can clean. I use three different ones, and (cheapskate that I am) they provide around 50Mb free. If I wanted to show around my holiday snaps, that’s the way I’d do it.

Cheers

Reply | Quote

What you say is all true in theory. But in practice, attachments are an important part of e-mail. They are essential to many businesses operations and are part of many people’s enjoyment of using e-mail. E-mail attachments are not going to go away and people are not going to stop using them.

Yes, there are corporate firewalls that trash attachments and there are others who outright refuse to accept attachments. Those businesses are suffering invisible costs through customers, suppliers and business partners not being able to properly communicate with them. I would suggest the costs to those businesses in both credibility and productivity are far higher than the odd virus infection.

Interestingly enough off-line storage effectively nullifies the policies of the companies who impose draconian restrictions on e-mail. Who is to say the file on remote storage isn’t infected? Is it beyond a clever virus writer to come up with a ruse for users to open an infected file on a remote server? Anyway, I doubt many businesses would be happy putting documents in an on-line store where they have little control over who can get at it.

Reply | Quote

Hi Paul
A wealth of debatable points and no doubt about it, but much of my opinion is from practical experience alone and owes little to theory. It is however, my opinion and is not necessarily true for everyone. As they say, YMMV.
My main point about e-mail attachments was aimed at non-business users : how many of us run a catcher such as VCatch, or inadvertently click on an attachment rather than saving it and running the Virus scanner over it? I only mention it really because of the number of users I come across in trouble from this very oversight. If only it were a case of ‘the odd virus infection’. In a similar vein, attachments don’t give you the option to reject them.
In the business sector, I can’t really comment with any authority : not that that stops me. I’m not sure why you feel not using attachments stops proper communication – a great many could be better sent as text within the body of the message itself. And I do not really see why a company needs HTML enabled e-mail. Is it not just asking for trouble? I would also take you up on the point about companies suffering loss which is higher than the virus infection. Since a malicious virus can knock out your trading completely (and even destroy vital data) I feel a systems manager owes it to his employers not to risk a massive potential loss.
As far as OLS goes, I’m sorry to say I don’t think your arguments hold water. It doesn’t really matter that the file downloaded is infected – you’re going to scan it anyway. The companies selling you OLS (presumably as a business you would not go for the freebie option) have to make sure your files are safe from prying eyes. You can only log on to your space with the appropriate security, and with really sensitive stuff you could encrypt it first, although I haven’t actually tried that. I would say that the user would demand (and get), total control over access, otherwise the idea would disappear without trace, it’s main foundation having been undermined. I can hear the sounds now of lawyers rubbing their hands together should some firm have their files penetrated whilst on an external ‘secure’ server. Bank deposit boxes are an ‘external’ form of storage and I would have to say that OLS, to be workable, must be just as secure. Aything less would be useless.
I don’t doubt the popularity of e-mail attachments, just as I don’t doubt the popularity of unprotected sex. Doesn’t mean we should accept it in silence though, and it sure doesn’t make it a sensible thing to do, except with someone we’d trust with our lives…
Cheers

Reply | Quote

a properly setup content filter will stop only specific file types. if the admin is blocking all attachments, you need a new admin.

i occassionally do some tech editing on the side and we send files back and forth using email. online storage would require too many extra steps, which takes too long compared to the fairly small file size.

Reply | Quote

Hi MaryJ
I think our system manager knows what he’s doing, and I would not try to persuade him to adopt another method. Mind you, he still thinks it’s best to turn computers off at night… The set-up does not actually ‘block’ attachments, it simply alters executables in such a way that they don’t er.. execute.
In a case such as the one you describe, I’m inclined to agree. However, it’s not the usual use most people put e-mail to. By the sound of it you are in a ‘trusted’ environment, where you are quite sure the attachment is uninfected, as it comes from someone you know and trust. (Possibly even within an intranet). All I can say is there are attachments and attachments : yours are the first type.
I’m not sure why OLS should involve many more steps, unless you’re sending a lot of little files frequently. I know that if I wanted to send weekly 50 small files to 70 people, I’d zip ’em up, upload the zip each week and make sure the seventy were in my Ring. On a regular basis, this has to be efficient at least. Having said all that, I still think that ‘normal’ e-mail from relative strangers is safer without attachments being involved, and that’s without even discussing the size question. YMMV.
Cheers

Reply | Quote

i’m not alwyas in a trusted enviroment, i often get small (50kb) word docs from people who work for publishing companies. i don’t know some of the people, only that they say they work for a publisher and need my input on a file.

Some of the word docs do have macros, some docs have been infected, fortunately i have two levels of virus protection, the server scans attachments and my desktop scanner scans them also.

the majority of people do require attachments to do business, the majority don’t have a clue how to use shared storage. for a 50kb file it takes too long to upload it somewhere and provide the url. it’s just too inconveinent compared to clicking file > send to > as attachment.

when mail arrives with attachments and the message body explains what the attachment is for, i open it directly from outlook. if i’m working offline, i have the file with me where ever i am. if a url was included, i’d have to wait till i had a connection and download it. most people do not have full time connections BTW and connecting to get a file would take too long, it might take 2 min to dial in and log on but only a few seconds to download a small file. so much bother when the email client can do it for you.

same goes for uploading. which is faster for the majority of users: dial in, log on the storage site, upload the file or just attach to mail and let the mail client handle everything. time IS money.

i stand by my comments: a properly secured mail server run by properly trained staff will not have a problem with typical business attachments.

As pcrescue said, the businesses who refuse attachments and require other methods of file transfer are incurring more expense in the long run and will eventually lose, both in worker productivity and new business.

the company i work for had a problem with anna k. hundreds came into the server, those were stopped by content filters because they were vbs files. unfortunately some employees used browsers to check personal accounts and set off the virus. that is one loophole that will be closed and it wont be done by forcing users to find alternate file transfer methods because it’s not an attachment issue, it’s a “user issue” (aka “luser issue” to many admins) and we’ll deal with those users. the kid who wrote the virus was right, if users weren’t so stupid….

Reply | Quote

Hi Mary J
Quote : a properly secured mail server run by properly trained staff will not have a problem with typical business attachments.
Of course it won’t. But, with respect, that’s begging the question. We are not dealing ever with all three at once of ‘properly secured email servers’, ‘properly trained staff’ or ‘typical business attachments’. If we were, viruses wouldn’t stand a chance.
We shall have to agree to differ, I’m afraid.
Regards

Reply | Quote

Reports today have again appeared in the press about the risks of embedded scripting in e-mail. I have been advising my customers to set the Outlook and Outlook Express to the restricted security setting and customise the setting so scripting is disabled. The following articles further confirm the reasons why you should do so too.

If you are linking Outlook to programs such as ACT or Intellisynch, connecting to PDA’s such as Palms or Psions, or using Net Folders. Check that your link works after disabling the scripting. Some of these programs rely on Windows Scripting.

http://www.theregister.co.uk/content/6/16655.html http://www.privacyfoundation.org/advisorie…ailwiretap.html

Reply | Quote