Can email be infected if it doesn't have attachments?

Discussion in 'other security issues & news' started by Aaron Here, Mar 4, 2008.

Thread Status:
Not open for further replies.
  1. Aaron Here

    Aaron Here Registered Member

    Joined:
    Jun 4, 2006
    Posts:
    1,205
    Location:
    USA
    Is it possible for an email message to contain malware if it doesn't have attachments or files of any kind? :doubt:
     
    Last edited: Mar 4, 2008
  2. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    Yes, but not if you've only viewed it as text. That's why text should be the default, and html only in extreme and trusted cases.
     
  3. Aaron Here

    Aaron Here Registered Member

    Joined:
    Jun 4, 2006
    Posts:
    1,205
    Location:
    USA
    Would you explain how it's possible for an email to carry an infection without containing files of any kind (even with HTML format)?
     
  4. appster

    appster Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    530
    Location:
    Paradise (Hawaii)
    Aaron,

    A real example of this is a strain of the Bagle virus that exploits a security hole in MS Outlook and Outlook Express (for which Microsoft released a patch several month ago). For whatever reasons, lots of people don't keep their PC up to date with the latest patches, so viruses like this are successful.

    This particular strain downloads via HTTP when the email is opened. The HTML within the email is coded to download and run a VisualBasic Script on the virus server, then the VBS connects to the same server and downloads the executable virus and runs it.
     
  5. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    In addition to Appster's example, your privacy is compromised with html. Images or webbugs, third party or originating, reveals personal information about your computer, and reports every time you open the mail. Aggregate, the html mails form a picture of your interests and activities, just as third party cookies and webbugs at websites you visit with your browser.
     
    Last edited: Mar 4, 2008
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Embedding a script in the HTML code :)
    If you're using Thunderbird, get this add-on
     
  7. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I thought I read somewhere that only opening text messages was not 100% foolproof. Have to see if I can find that article. :doubt:
     
  8. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Especially with HTML format.
    Avoid any links in any e-mail as a general default rule
    Today I got spammed with e-mails from CitiBank, ANZ Bank, Sun Bank and "Immediate Security Account Check" from A.N.other Bank: even in text: full of hyper links.

    Total PITA: time waster typical of hijack of the ethernet....
     
  9. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I've heard this too. Please post if you do find any info.

    innerpeace
     
  10. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
  11. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks for the link ccsito. I'm not familiar with OE and I realize that the article is old, but if scripting was off in OE and/or you viewed the message in plain text, it looks like you were safe.

    If you find anything else, let us know.

    Thanks,
    innerpeace
     
Loading...
Thread Status:
Not open for further replies.