Spam and Viruses: Unholy Matrimony, Part 2
Make no mistake about it -- spam and viruses are deliberate, malicious assaults on our systems that often work together to penetrate and compromise our networks. In the second article of a two-part series, Carla Schroder takes a look at client-side defenses for defeating the two-headed monster.
Last week in part 1 we looked at some rather extreme measures for keeping that demeritorious duo, spam and viruses, off our servers. Today we'll look at how to secure your users' email clients. The reason for employing layers of security at both the server and client level is simple, Grasshopper; do not depend solely on border defenses or the succulent soft underbelly of your network will remain at risk.
First Choose a Sensible Mail Client
I'm sure you've heard it a million times — “Don't use Outlook or Outlook Express.” It's darn good advice. Outlook is useful on an intranet, when you need the full scheduling, contacts, document sharing, and other groupware features. For Internet mail — well, its record speaks for itself. For those who really must use it, see Resources for tips on making Outlook not quite so insecure.
If all you need is a POP or IMAP mail client for Windows, Eudora, Pegasus, and Mozilla Mail are excellent choices. They are far less open to exploits, and they use generic mailbox formats instead of the “seekrit” proprietary formats of Outlook/Outlook Express. This makes disaster recovery and importing/exporting a lot easier, because the files can be read as plain text.
The Linux world is also full of excellent mail readers — Kmail, Balsa, Evolution, and Mozilla Mail, as well as the powerhouses Mutt and Pine for the über-guru, non-GUI console folk. What's nice about all of these is that in addition to having great feature sets, they are genuine standalone mail clients. In other words, you don't have to mess with a web browser to configure security settings.
Securing an Email Client
Spammers and virus writers are doing some incredibly creative – and malicious – things with HTML. Here are some simple tweaks that will make any mail reader more secure:
- Filter messages that are greater than 100 kilobytes; keep them on the server until you can look at them. Most commercial email accounts include Webmail, so it is easy to examine them before they reach your system. If you run the mail server on your end, it's even easier.
- Turn off HTML. Make the default plain text; neither an HTML spewer nor reader be. While Kmail has a nice feature that lets you turn on HTML for a single message, most mail readers are all-or-nothing.
- Do not allow messages to load external references from the Internet.
- Do not allow 'receive' or 'read' confirmations to be sent.
The last two items may not be a configurable option on all mail clients, and of course Mutt and Pine, being ASCII mail readers, will not render HTML. There's nothing to gain in any case by allowing external references to load — it's just a big hole to let mischief in. (OK, so you're maybe missing out on a "rich media experience. I'm soooo sorry.)
'Receive' or 'read' confirmations are up to you, although I've personally never seen the value in enabling them. Confirmations to spam messages only serve to let the spammers know they've found live, working addresses, and that you may even be foolish enough to open and read their spew. (And even if spam were not an issue, I prefer keeping the tried and true "The Internet must have eaten your message" option open.)