I was reminded of today's tip of the day by one of our readers, Jim Hendrick. I personally get really annoyed at all the "cutesy" HTML e-mails I seem to get these days whose only real purpose is to take up space. Why send a 6K text message when you can fancy it up and send a 150K message instead, after all we all have bandwidth and disk space to burn these days, right?! I've used e-mail for more about 25 years, first on Compuserve, and then as a business tool beginning in about 1987. Early on I used elm on various Unix machines and when I first got a POP account, Eudora on my old Mac. For the last 10 years or so, I've used pine and PC-Pine and more recently, occasionally, Thunderbird for most of my IMAP e-mail, but for work, the corporate standard at my day job is Outlook 2003. I haven't gone back and counted recently, but I'd wager a guess that in the last 2 years there have probably been at least a dozen vulnerabilities in Outlook and/or IE, where the suggested workaround (by Microsoft) was to read e-mail as text only. My first recommendation (which I realize is not proactical in many corporate environments, including mine) is to switch to a different e-mail client (partially for the diversity reasons mentioned in yesterday's Tip of the Day), but if you can't at least switch to plain text as your default (you can always render the HTML for those messages that are completely indecipherable as text). This isn't that hard to do, even in Outlook and even if you feel the need to use the preview pane. In Outlook 2003 (the only version I have available to me at the moment), this is pretty simple. From the Actions menu choose Options. In the box that pops up, choose the Preferences tab and click on the E-mail Options button. In the subsequent box there are a number of checkboxes in the top half of the dialog. Check the bottom two "Read all standard mail as plain text" and "Read all digitally signed mail in plain text". Click okay and you're half done. I also recommend that you click on the "Mail Format" tab and *send* all your e-mail as plain text, too. Finally http://support.microsoft.com/kb/307594 describes a registry key (that can be set via Group Policy) for Office XP SP1 and later that forces the default to read all e-mail as plain text.
Jim Clausing, jclausing <at> isc.sans.org
I will be teaching next: Malware Reverse-Engineering Challenge - SANS New York City 2019
Aug 7th 2006
1 decade ago