Every day for 2 weeks last month, the latest round of the Klez email virus pummeled my computer. So I'd like to dedicate this month's column to safe email practices. To avoid the spread of viruses, you should use a combination of technology and common sense. These 10 tips can help you ensure that you're practicing safe email.
10. Install an antivirus product—Almost all the popular antivirus products automatically scan incoming email for viruses. Such protection is an absolute requirement. However, antivirus products are always one step behind the latest viruses, so don't think you can forget about virus protection just because you install a product.
9. Don't assume you're safe just because you don't use Microsoft Outlook 2002—Although Outlook is one of the most popular virus targets, no email client is immune from this kind of attack. Many viruses spread in the form of attachments, so all you need to do is open one and you're infected.
8. Remember that Microsoft doesn't send updates through email—A popular exploit among virus authors is to use subject tags and text to trick you into opening attachments or clicking on embedded links in email text. The latest ironic twist to this trick is disguising viruses as security patches. Never open an email attachment that appears to be a Microsoft update—it isn't.
7. Never run the executable files in a pop-up window that an email message displays—Another popular virus-author tactic is to embed executable files in an email message's HTML text. When you open the message, a pop-up window prompts you to open the executable files. To eliminate these annoying pop-up windows, turn off the Outlook Preview Pane by selecting View and clearing the Preview option.
6. Install the most recent Microsoft Internet Explorer (IE) and Outlook security updates, if possible—Virus writers constantly uncover new exploits, but Microsoft has been diligently filling the holes people find. Getting caught by a known exploit is equivalent to getting caught with your pants down. You can find Microsoft's security updates and information at http://www.microsoft.com/security.
5. Take advantage of Outlook's security settings—You might not be able to use the Outlook Security Update (http://www.microsoft.com/office/outlook/evaluation/security.asp) because it won't let you receive executables. However, you can increase Outlook's security level by selecting Tools, Options, Security, Zone Settings. Select the Internet zone, then click Custom Level. In the Security Settings dialog box, disable the ActiveX controls and plugins options and the Active scripting option.
4. Don't open email attachments that have file extensions of .bat, .vbs, .shs, .pif, or .scn if you can help it—Safe attachments rarely use these extensions, but they're a favorite choice among virus writers because they carry executable instructions.
3. Don't open attachments that have double file extensions—Although you can create and use files that have double extensions, the practice is unusual except among virus writers, for whom it's a common subterfuge.
2. Configure Windows to show file extensions—Microsoft's decision to make Windows automatically hide file extensions is the worst design decision the company has ever made. If you can't see the extension, virus writers can easily fool you about a file attachment's true nature. In Windows 2000, you can view file extensions by opening Windows Explorer and selecting Tools, Folder, Options, View, and clearing the Hide file extensions for known file types check box.
1. Never directly open an attachment—Save all attachments and scan them for viruses before you open them. Anyone, even your best friend, can inadvertently pass along a virus.