The Secret Life of Email

This article follows the path of an email message and its attachments through your PC, and illustrates the difference between email applications that hide incoming attachments within mailbox data and those that don't.  Each message can contain four types of risk (or non-risk), which can be tracked separately, namely:

There are other "features" of HTML email that have privacy implications, such as links to remote graphics that can confirm reciept of email, toxic links, links to hostile sites, and cookies.  But I'll focus on those risks that can be used to attack the system by running or interpreting code, which is all but the first of the above list.

Outlook Express

Outlook Express is typical of email applications that hide attachments in mailboxes, though it has a higher risk than most where MIME-spoofed attachments and scripts embedded in the "message" are concerned.

Message + Scripts + Attachments + MIME-spoofed ---X---> mailbox
:
:
:
:
Message is (pre)viewed: Scripts, MIME-spoofers automatically run
App "opens" MIME-spoofed attachment: Attachment ---
x---> file ---> executed
User "opens" normal attachment: Attachment ---
x---> file ---> executed
:
:
Message is (pre)viewed: Scripts, MIME-spoofers automatically run
App "opens" MIME-spoofed attachment: Attachment ---
x---> file ---> executed
User "opens" normal attachment: Attachment ---
x---> file ---> executed
:
On-demand virus scan cannot detect or clean attachments
:
Message is (pre)viewed: Scripts, MIME-spoofers automatically run
App "opens" MIME-spoofed attachment: Attachment ---
x---> file ---> executed
User "opens" normal attachment: Attachment ---
x---> file ---> executed
:
etc.

X indicates definitive opportunities for antivirus intervention.  If one of these is handled effectively, then the risk is permanently cleared for that item of content.

x indicates per-instance opportunities for antivirus intervention.  If any of these is missed, you will be hit; they cannot permanently clear the risk for that item of content.

Red text indicates the points of risk exposure.

The details:

Message + Scripts + Attachments + MIME-spoofed enter the system as one lump, from the ISP's POP3 server to the PC's POP3 client.   The ISP may scan for malware on the user's behalf, and in-house mail servers may go further and scan for risks rather than malware (e.g. strip out all executable file attachments, etc.).

The POP3 server is usually the email application (in this case, Outlook Express), but resident antivirus utilities can patch in to the process, acting as the POP3 client.  The email application then gets the mail from the antivirus utility, rather than the ISP's POP3 server.  This is the only opportunity to detect and clean malware before it enters (and is hidden within) the mailbox.

All four types of content are stored within the mailbox.  When you "open" an attachment, it is created as a file and immediately "opened" according to the default action as defined by Windows' file association for that file type.  Resident ("underfootware") antivirus should check the file as it is created, but that is the only opportunity to intervene - and as the attachment within the mailbox can never be cleaned, the resident antivirus has to catch the malware every time that attachment is "opened" from the message.

Depending on the security settings in both Outlook Express and Internet Explorer, any HTML embedded scripts will be run automatically whenever the message is viewed or previewed; if you can see the "message text", you have been hit.  Until recently, Outlook Express defaulted to handling email in the "Internet Zone", and even if you selected "Restricted Zone" instead, the default "high security" template used would allow active scripting, Java, and ActiveX controls "marked safe for scripting" to be run automatically without a warning prompt.

As shipped with all versions of Windows up to but excluding Windows XP, Outlook Express will automatically execute MIME-spoofed attachments whenever the message is viewed or previewed - i.e. if you can see the "message text", you have been hit.  Unlike the script risk, this cannot be risk-managed via suppression of scripts!  The cause is fundamentally broken HTML rendering code within Internet Explorer, and affects anything that uses this engine to display HTML - Outlook Express, Outlook, Internet Explorer, Windows itself, and any application that passes HTML to Windows or Internet Explorer to be interpreted.

Most email apprications don't autorun embedded scripts or MIME-spoofed attachments - but if they hide attachments within mailboxes, as most do, then that part of the risk profile is the same.  Effectively, one is forced to rely of resident antivirus protection (running "underfoot" all the time) with this attachment management strategy.

Eudora

Eudora is an email application that creates attachments as files as they arrive.

Message + Scripts ---X---> mailbox
MIME-spoofed attachments ---
X---> Embedded directory
  - file is not autorun by Eudora
  - no link in message to attachment created in Embedded
  - so file is not launchable by user from within mesage
Normal attachments ---
X---> attachment directory
Y
Y
Y
Y
Y
Message is (pre)viewed: Scripts, MIME-spoofers etc. are not run
User "opens" normal attachment: Attachment ---
X---> file ---> executed
Y
Y
Message is (pre)viewed: Scripts, MIME-spoofers etc. are not run
User "opens" normal attachment: Attachment ---
X---> file ---> executed
Y
On-demand virus scan detects and cleans attachments
Y
Message is (pre)viewed: Scripts, MIME-spoofers etc. are not run
User "opens" normal attachment: Attachment ---X---> file ---> executed
Y
etc.

Y indicates opportunities for on-demand antivirus scanning to definitively and permanently clear the risk for a particular item.  There are no such opportunities where attachments are hidden in mailboxes.

As you can see, only correctly-MIME-encoded file attachments pose a risk, and one which is under the user's control at that.  If the user doesn't click, no risk.   Because attachments are created as files as they arrive, any antivirus sweep at any time between the arrival of the message and "opening" the attachment permanently clears the risk.

The details:

As before, message + Scripts + Attachments + MIME-spoofed enter the system as one lump, from the ISP's POP3 server to the PC's POP3 client.  The ISP may scan for malware on the user's behalf, and in-house mail servers may go further and scan for risks rather than malware (e.g. strip out all executable file attachments, etc.).

The POP3 server is usually the email application (in this case, Eudora), but resident antivirus utilities can patch in to the process, acting as the POP3 client.  The email application then gets the mail from the antivirus utility, rather than the ISP's POP3 server. 

Only the mesage and embedded scripts are are stored within the mailbox.  MIME-spoofed attachments are created in an Embedded directory within the email data set, but they are not autorun, and there is no link to these files within the message (so effectively, they are "auto-quarrantined").   Normal attachments are created as files in the location specified within Eudora's settings; be default, this is in an Attach directory within the email data set, but you can (and in my opinion, should always) override this.

When you "open" an attachment from within the message, the existing file in the attachment location is "opened" according to the default action as defined by Windows' file association for that file type.  If the file has been deleted, the link icon within the message will have a red X over it to show the file cannot be opened.  If the file has been cleaned, then it is this cleaned version of the file that is opened.  In other words, you only have to detect and clean an attachment once for it to be safe from that point ever onwards.

By default, Eudora will not run HTML embedded scripts.  Unless you deliberately change this behaviour via Eudora's settings, these scripts pose no risk and can be ignored.  However, Eudora defaults to using "Microsoft's viewer", which could inherit any unchecked buffer risks etc. that apply to Microsoft's HTML redering engine; fortunately, there is a setting to disable the Microsoft viewer and thus avoid these risks.

In summary:

The attachment model used by Eudora makes it possible for savvy users to use on-demand antivirus scanning alone.  As long as they electively scan the attachment location after getting email, and before "opening" any attachments, they are as safe as the efficacy of that antivirus scanner allows.  This permits old systems to avoid the slowdown (and instabilities, and software costs) imposed by resident "underfootware" antivirus software.

Also, should the system ever be infected, it can be relied upon to be clean after a formal virus check - without any risk of re-infection from uncleanable malware hidden in the mailboxes.  That leaves you with Windows ME's (or XP's) System Restore as the only internal source of re-infection.

 

(C) Chris Quirke, all rights reserved - December 2002

Back to index