Question re e-mail hazards

[Brint Hannay]

I guess nobody else who reads this section has gotten any of the fraudulent e-mails I posted about.

But in that post I also asked a question I'd really like to know the answer to:

Can it be dangerous to open an e-mail you suspect, or know, is bogus, even if you don't click on anything in the e-mail?

[Wiz Feinberg]

I guess nobody else who reads this section has gotten any of the fraudulent e-mails I posted about.

But in that post I also asked a question I'd really like to know the answer to:

Can it be dangerous to open an e-mail you suspect, or know, is bogus, even if you don't click on anything in the e-mail?

Yes and no. It depends on your operating system, service pack level, email client used and security setting used in the email client.

In my years of fighting spam and scams, I have written about several email attacks that were carried out with JavaScript commands meant to take over an unsecured modem/router combo. These were very successful in Mexico and Brazil and led to DNS poisoning and the emptying of victims' bank accounts.

There are email attacks that use attached html files to carry out malicious purposes upon them being opened. There have been some attempts to use JavaScript redirection as the message body loads. Most of these attempts only succeed against outdated email clients, like Outlook Express, running with less then stellar security settings (e.g. not in Restricted Zone).

Aside from these few scripting runs, most spam and scam email comes straight at you, using various come-ons to entice you into clicking a dangerous link, or opening an attached file and executing a Trojan installer knowingly (not understanding what the Horse carries in its belly!).

If you are using a fully supported operating system, with all vendor issued patches and updates and your email client is setup to open email messages with less than full privileges, you are most likely safe from automatic exploits. But, how are you to know when an email contains a scripted exploit?

It is safer to make sure that your computer has modern, up-to-date security software running, which intercepts and scans email messages as you download them.

If you have a modem/router combo, change the default password. If you have a separate modem and router, change the default password on the router. If possible, change the security for logging onto the router to https only. Also, change the IP address of the router. This will defeat most scripted router attacks via email or html pages.

Cross-site Scripting attacks are still launched against browsers, in the hopes that some of them will still be logged into their router web interfaces. Some older browsers are susceptible to cross-site scripting attacks on an open tab, even if it is not in focus. Log out of the web interface of the router when you are done with whatever you were doing in there. Close and restart the browser to flush secure sessions out of the cache. Upgrade your browsers to the very latest version. Use Firefox if possible, with the NoScript! Add-On.