Can I really catch an email virus just by looking?

It used to be possible that simply viewing a malformed email could allow a virus to spread, but that's no longer the case with modern mail programs.

New malware (including viruses) appears every day and it seems like they’re constantly getting smarter and craftier. And of course, each new piece of malware is an opportunity for even more people to become infected.

In the past, asking if you could catch an email virus just by reading your email would get laughs from the techie geeks in the crowd. “Of course not!” they would giggle.

Then came Outlook. Not only could opening an email infect your machine, but for a while, you didn’t even have to be present to do it.

And the geeks stopped giggling.

For a while.

Fortunately, today things are different.

Of HTML, DHTML and Javascript

HTML is the “language” of the web – it’s the way web pages are encoded and described to your browser so that it can draw, display, and make the web pages appear as the designer intended.

DHTML, for Dynamic HTML, and Javascript, a programming language, added to HTML something it didn’t have by itself: the ability do do things. By “doing things,” I mean things as simple as turning this portion of this sentence red when you move your mouse over it to interactive games that you can play in your browser.

Your browser and the HTML that was displayed in it became a platform for computer programs.

Then along came email.

HTML email

Email used to be plain text only and much of it still is.

But someone had a bright idea: what if we made email more flexible and gave it all of the richness of HTML formatting? In HTML-formatted email, words can be bold or underlined and we can put pictures in it, and much much more.

Email could be “pretty” and as complex as a magazine page.

And since many email programs simply used the same code as the web browser, email messages could now do things.

Then along came malware.

VirusMalware in email

If email could “do things,” like run small programs within the window in which they were being viewed, it didn’t take long for hackers to exploit this and start writing malware that not only took advantage of that, but also exploited other vulnerabilities that those programs could access.

Vulnerabilities that would allow them to infect your machine with more malware.

Simply because you opened your email and looked at it.

Before it got better, it got worse.

Then, along came Outlook.

The Preview Pane’s Role

I say “Outlook,” but in reality, any email program that offered what we now call a “preview pane” could be vulnerable. Outlook was simply one of the earliest and one of the most popular.

The scary scenario worked like this:

  • You leave your email program open on a view of your inbox with the preview pane showing.
  • You have the “most recent” email selected and its contents are shown in the preview pane.
  • You leave.
  • You get more email. Outlook dutifully keeps the selection at the most recent and updates to select the newly arrived message.1 As a result, it also updated the contents of the preview pane with the contents of the new message.
  • If the new message contained malware that infiltrated by trying to execute Javascript, that would run and infect your machine.

Your email program “looked” at a message and your machine was infected and you weren’t even there.

Fortunately, that didn’t last long.

Modern email programs and sites don’t do that

Needless to say, that possibility was fixed quickly.

The most dramatic fix is that Javascript and almost all other scripting that might be used to allow an email message to “do something” no longer works. Period. For good or for evil, you can’t put scripting into an email message and expect it to work.

Along the way, the vulnerabilities related to email-based exploits2 have also been getting fixed – regularly and quickly.

Add to that the images aren’t even displayed by default by most email programs any more (for reasons related to spam, but it also increases your security with respect to malware) and today’s situation is very, very different.

You cannot get infected by just looking

Opening an email is a safe thing to do.

Having your preview pane open is a safe thing to do – even if you’re not around.

Email programs and email services now no longer allow the things that once upon a time made looking at an email risky.

However…

You CAN get infected if…

The one thing missing from the discussion above is: attachments.

The ability to attach an arbitrary file to an email message actually pre-dates HTML formatted email. It remains a convenient way to transfer a file from one place to another.

Unfortunately, the word “arbitrary” is appropriate. Any file can be attached to an email, including programs that would infect your machine with malware.

That’s why one of the admonitions relating to internet safety is to never open an attachment you’re not expecting and that you don’t know is safe.

You can get infected by just looking at the contents of an attachment.

Email safety rules

So, let’s review the rules for safe email:

  • Keep your versions of Windows, your browser, and your email program up to date with the latest patches.
  • Run appropriate anti-malware software to help keep your system clean.
  • Keep your anti-malware software up to date and most importantly, allow them to keep their databases of malware information as up to date as possible as well.
  • Never open an attachment unless you expect it, you’re positive you know what it is, and that you trust the sender.
  • Never click on a link in an email message unless you’re positive you know where it’s going and that you trust the sender.
This is an update to an article originally posted : April 28, 2004
Footnotes and references
1: This behavior has also changed over the years and I believe Outlook now no longer changes which message is selected.
2: One example: there were at one point exploits in the software used to display images such that malware could attach itself to maliciously crafted image files. Not only have those exploits been resolved, but most email programs no longer display images from untrusted senders by default.

There are 27 comments:

  1. grimm Reply

    Dear Leo,
    I have today received two virus-bearing e-mails, whose address is nearly the same as a newsgroup I subscribe to. I have blocked it and found the router information. I seem to have the e-mail address here of the person who started the chain of events. What do I do now?

  2. Leo Reply

    In general in these situations I do nothing. Depending on how certain you are about knowing where the virus started, you might contact them and let them know they’re infected, but viruses are so good at mucking up email headers that I no longer trust that information. Best advice: make sure you’re protected, delete the viruses and go on.

  3. Hayder Reply

    okay, 1) so how’s clicking on an url inside an email potentially destructive? Could that single “click” have been disguised as a “run” click which ensuingly activates a script or a virus of some sorts?

    2) Can WORD/EXCEL/PPT files be infected with viruses?

  4. Leo Reply

    1) It’s very easy to make a URL *look* like it’s going to one place, when in fact it’s going somewhere else. Case in point: all the eBay, Paypal and bank “account verification” phishing scams.

    2) Absolutely. They all support a very powerful macro/scripting language that can be used. It’s one of the reasons that current version of Office applications include various security measure that typically will disable, or at least ask, before opening a document that contains macros.

  5. Aneta Reply

    Leo,
    I have a question related to contracting something just by opening an email. Is it true that you should not use the preview functionality because it opens an email and tells spammers you are a valid recipient?
    Thanks

  6. Ian Reply

    Thought you might find the following a bit amusing even though it is based on fact from my own experience of 25 years in the computer industry.

    Regarding Viruses, when you receive a dire warning of a new Virus on the Internet never send it on to friends in your address book, or click anywhere on it. Write down the name of the so called Virus, then go on the Internet and type in the name of the virus and the word scam. This will tell you if it is just a hoax. If so simply delete the offending email. But on the other hand your Internet search reveals that it is a real threat then you can warn your friends, NOT by forwarding the Email but creating your own warning Email to send to them.

    Most of the viruses on the Internet are put there by the very people who sell virus programs and Internet security. It is a multi Billion dollar industry and so Virus program companies never want to see it end, only grow larger. Of course there are other idiots who have nothing to do with these companies who put viruses on the Internet just to hurt or be smart.

    Also China currently is training thousands of computer hackers to become adapt in corrupting military, government, banks and civilian computers in the West, that is one of the real dangers that might be facing us as we move towards skype or computer communications. Imagine if just in Sydney alone if they shut down the computers that control traffic, airport and banks computers including shopping centres and ATM’s the chaos it would cause.

    Another dangerous place to go with your computer is on the Internet to so called “Crack Sites” these are Websites where at no cost you can download a serial or key number to activate Free a program or game for nothing this is a way many people in the past have freeloaded games and programs.

    Years ago this was relatively safe however over recent years the people and companies who spend money and time developing programs worth Dollars are finding their profits and ideas stolen.

    So to combat this they are submitting serial numbers and small programs called keygens that generate a number or key for their programs that people have downloaded free. However when you open these Number or Keygens it instantly corrupts your computer. So my advice is stay well away from Crack sites.

    Another ploy by some overseas companies is they offer you free “Speed Up” or scanning programs for your computer. Several simply run the so called free scan on your computer, As an experiment a group of computer Techs I know ran a couple of these programs on several computers. At the end of the test strangely they all showed exactly the same faults.

    At the end of the test came the same message. Free scan complete, Our program can fix the faults found and speed up your computer just send us X amount of dollars.

    So after you send them the money and the program is activated (if you are lucky) your computer seems to run a bit faster. What has really happened is the program has placed a slow down robot on your computer. This is stopped for the 12 months of your paid time. Occasionally just to remind you the program will either speak to you or place fancy messages on your screen just to remind you it’s there.

    Towards the end of 12 months the slow down robot cuts in and as you get annoyed with your computers slowness you once again pay your subscription to the speed up con-men. Just the same as renewing your subscription to a Virus program company.

    A thing that you have to realise Alan the normal Virus scanning program on your computer can scan each file or folder for over 200,000 yes that’s two hundred thousand virus signatures in less than one second (No wonder your computer needs a cooling fan on it’s Brain ‘CPU’).

    However to use a computer without a virus program you can do several things, Install ‘LINUX’ system on your computer, no problems with viruses. It runs fine along with your Windows XP program. So LINUX for Internetting and Windows XP for everything else but never connecting to the Internet.

    Apple Mac computers I believe are faster, run smoother and never have a problem with Viruses.

    The Emails your receive that are passed on Funnies that you get from someone that has also sent these Emails to everyone in their address book unknowing the real possibility nor risk as they do it in good faith not realising the risk to others they care for.

    These corrupt Emails are what they refer to in the trade as Used Condom Emails because they are passed on from and to many people they can carry corruptions and spyware not only to your computer but also to other peoples computers. It is a bit like the Aid’s Virus for computers. They are a bit like the old “Chain Letters” in many instances.

    Normally if you say to someone ‘you know those funnies you receive and pass on could carry corruptions’ they can get a bit offended, still it is not said to offend just let people be aware of might be unknowingly happening, and that is the real danger in today’s world of electronic technology.

    The problem with all the Windows operating systems is just like a protective mother they are to over protective and in this very fact leave your computer open to attack. One feature of the windows operating system is a thing called “Remote Access” this allows anyone, anywhere in the world whilst you are on the Internet to log onto your computer. It is as if they are in your home sitting at your computer.

    Normally this system will only work if you give that person or persons electronic permission to access your computer. Best thing is to disable “Remote Access” on your computer, Unfortunately you may need to check it every second day as if a corrupt email or a link from a website may override and activate remote access allowing hackers into your system and stealing personal gear.

    Another thing that you never hear mentioned is about Keyboard Viruses, whilst remotely connected to one of these hackers across the world or a corrupt Internet website, everything you type on your keyboard, Names, Phone numbers, Passwords and login words, numbers or letters also Email Address can be recorded on some hackers computer.

    So the way to avoid this is when typing in private stuff use the Onscreen Keyboard you will find in Programsaccesoriesaccessabilities never have to type manually your password Etc. just click on the onscreen keyboard.

    Cheers

  7. Dan Reply

    Wow Ian, I doubt reputable companies use these ploys. Anyway – no matter how you enter text, my understanding is it goes through a keyboard buffer. So if you use a usb keyboard, or onscreen keyboard or automated batch process to enter data, it still puts and pulls the data from the keyboard buffer — that is unless it has changed without me knowing it (which could happen). Those keyboard hacks also pull the data out of the keyboard buffer – so the other data entry routes won’t stop the hackers from reading your keypresses – since they are not actually monitoring the keyboard, but the keyboard buffer built into all computers.

  8. Jabba the Cat Reply

    “Most of the viruses on the Internet are put there by the very people who sell virus programs and Internet security.”

    A comment based in true ignorance…

    Unfortunately many, many people believe this fallacy.

    Leo
    05-Dec-2012

  9. Gabe Reply

    I just confirmed that Outlook 2010′s preview pane no longer shows new emails arriving. I checked the “Inbox” and the “Unread Mail” view. It maintains the selection of the last email you viewed not the one that just arrived. Of course, there may be a way of overriding this but I haven’t looked into it.

  10. Kevin Reply

    Wow as someone said!!!..But I always assume the worst…So what to do??….Being very very careful helps a lot and may be the best at the moment.

  11. Patrick C Reply

    I loved reading the above. It confirms in a nutshell what I regularly tell family and friends re. (e-mail) viruses but which some of them seem not to accept or willing to apply.
    One off the things I keep repeating is along the lines you suggest:”So LINUX for Internetting and Windows XP for everything else but never connecting to the Internet.
    Apple Mac computers I believe are faster, run smoother and never have a problem with Viruses.”
    I have one remark and one question:
    1. About Linux running OK alongside Windows (which is more vulnarable) and keeping both seperated with regard to internet access, I’m inclined to agree. But all too many people are so used to Windows… It is as if they are brainwashed and consider Linux to be an unsurmountable obstacle.
    2. However, saying that Macs never have problems with viruses is a very strong statement, so strong that I find it hard to believe… Could you explain why that should be so? Technically I see no way how or why Apple Mac could be totally invulnarable to viruses (or other malware). Each time some one confronts me with that kind of statement, I’m at a loss for a really correct answer. I’ll appreciate your views on this. Kind regards, Patrick.

  12. connie Reply

    @Patrick C,
    Linux and Macs are probably just as vulnerable to viruses. It’s just that the majority of computers are Windows, so hackers and scammers target their energy to those.

    Leo wrote a good article on that: Are Mac’s inherently safer?

  13. Rick Sos Reply

    Yup those attachments can be deadly. A month ago I decided to click on an attachment. Half an hour later I noticed my anti virus had been shut down. Not sure if I had restarted it or not during that period. I did a scan and sure as God made little green apples I was infected. With the virus removed I felt better for about ten minutes then that voice that was telling me not to click on the attachment in the first place said check again.

    I restarted the computer and scanned and sure enough it was back. I removed it with an Avira rescue disk and did an all files scan with MalwareBytes and all was well after that.

    All that time spent scanning was my own fault. I didn’t listen to my inner voice. lol.
    I invited the darn thing into my computer. I didn’t listen to my own advice. Hahaha.
    Now if I’m not sure I just open them with Linux.

  14. johnbots Reply

    As always, a well written, informative article. Thanks

  15. Tom Reply

    For all that’s said and written about malware, viruses et al and the billions that must be being spent on fighting it, I personally wonder just what it is that goes on in the sick little minds that create and dispatch this muck out into the ether.

    It’s not even as if the could get their kicks out of watching the dismay on people’s faces when they realise that their computer is sick. They can only imagine it. Truly weird people.

  16. Mitch MacKay Reply

    Having to copy & paste to send articles is the necessary workaround in lieu of attachments. Recently some reliable contacts’ names and addresses have been hacked and attachments forwarded through those email addresses, which though only spam cause some disruption in email
    function. That implies some cautionary scrutiny into even known contacts. Attachments are definitely the devil’s playground.

  17. Mark J Reply

    @Tom
    A great deal of virus activity has shifted from the kicks hackers get from creating a virus, to malware that is used for illicit commercial purposes such as stealing credit card and log in information, and spam bots etc.

  18. Jabba the Cat Reply

    The other great myth, again based in ignorance, is that the are no viruses or malware that will run on a Linux platform…

  19. jerry thomas Reply

    Why can’t my ISP filter out malware before it gets to me??…..jt

    Particularly in the case of email, many try. Gmail is a great example. But no solution is 100% secure and your email providers and ISPs face a much larger backlash when they accidentally prevent you from getting something legitimate, so they tend to be conservative.

    Leo
    08-Dec-2012

  20. Vesa Koistinen Reply

    This is an old discussion thread, but I want to tell what happened to me a few years ago: I was fool enough to open an e-mail from an unknown source, and it contained just some code (computer language) plus a brief threatening message in plain English. No attachment or link. But just by opening that message I got a worm infection. I got rid of it by restoring a backup. Hopefully such things do not happen nowadays.

  21. Noel Reply

    Hi-I did read the article, and while I understand that just opening an email will not infect my computer….I opened an email on my phone (I have a basic phone with no internet unless I pay for it (but I think Verizon gives you some ability to open emails/send emails from my phone since I am able to email)—Anyway, the opened email had no content that I could see and since someone has been stalking me (police involved) I am concerned that this person somehow sent me a virus that can track my texts or even listen to my conversations….is this possible or am I being completely paranoid?? Any information on this would be greatly appreciated-thank you.

  22. Peter Reply

    Hi,
    This is old discussion, but read following:
    I received email with attachment fax.zip in my Outlook. I clicked on email to see it. Than I just selected (not double clicked) fax.zip file and Symantec protection alert pop up that it detected Malware infection and deleted fax.zip plus 10 other files (for example: C:\users\Peter\syswow64\wsnpoem\audio.dll)
    My Outlook is set to ask me if I want to preview any files in reading pane. I didn’t double click on zip file in email, just selected it. If I do same with any other file, outlook would ask me: Are you sure you want to preview??
    So, did just selection of the file initiated file execution?
    Thanks

    • Mark Jacobs Reply

      Outlook has safeguards to not initiate execution. If it is executable, it will warn you and ask if you want to execute it anyway.

      • Peter Reply

        I know, but how come Symantec found another 10 files (for example: C:\users\Peter\syswow64\wsnpoem\audio.dll) already at my pc with attached file. As soon as I selected attached file, Symantec alert popup: Found malware Trojan.zbot. and list of deleted files and restart required.

      • LadyQ Reply

        It seems you did not answer the question. If he did not double-click on the link, how could there already be 10 files on the computer? Or – why did Symantec delete files that were NOT part of the e-mail? Thanks. This site has been helpful to me.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.