Can email be infected if it doesn't have attachments?

Is it possible for an email message to contain malware if it doesn't have attachments or files of any kind?

 

Yes, but not if you've only viewed it as text. That's why text should be the default, and html only in extreme and trusted cases.

 

Would you explain how it's possible for an email to carry an infection without containing files of any kind (even with HTML format)?

 

Aaron,

A real example of this is a strain of the Bagle virus that exploits a security hole in MS Outlook and Outlook Express (for which Microsoft released a patch several month ago). For whatever reasons, lots of people don't keep their PC up to date with the latest patches, so viruses like this are successful.

This particular strain downloads via HTTP when the email is opened. The HTML within the email is coded to download and run a VisualBasic Script on the virus server, then the VBS connects to the same server and downloads the executable virus and runs it.

 

In addition to Appster's example, your privacy is compromised with html. Images or webbugs, third party or originating, reveals personal information about your computer, and reports every time you open the mail. Aggregate, the html mails form a picture of your interests and activities, just as third party cookies and webbugs at websites you visit with your browser.

 

Embedding a script in the HTML code
If you're using Thunderbird, get this add-on

 

I thought I read somewhere that only opening text messages was not 100% foolproof. Have to see if I can find that article.

 

Especially with HTML format.
Avoid any links in any e-mail as a general default rule
Today I got spammed with e-mails from CitiBank, ANZ Bank, Sun Bank and "Immediate Security Account Check" from A.N.other Bank: even in text: full of hyper links.

Total PITA: time waster typical of hijack of the ethernet....

 

I've heard this too. Please post if you do find any info.

innerpeace

 

There was a reported vulnerability with Outlook Express messages with hidden scripts inside a text message, but that was several years ago. I think I read something more recent.

http://www.securitytracker.com/alerts/2003/Jul/1007306.html

 

Thanks for the link ccsito. I'm not familiar with OE and I realize that the article is old, but if scripting was off in OE and/or you viewed the message in plain text, it looks like you were safe.

If you find anything else, let us know.

Thanks,
innerpeace