Foo - Email question

we all know not to open email attachments from senders we dont know, but can anything bad happen just from opening a email without attachments? My wife just opened an email up without thinking and now she is in a panic. The text said "thanks for that, bye". I tried to reassure her that there was no attachment on this email and since she was running linux from a live CD nothing should be able to touch the hard drive anyway. How else can I assure her everything is ok? Anybody got any comments or email horror stories they want to share?

Hopefully email systems are smart enough to prevent it now, but at one time even that could be dangerous because the email could be in HTML format and have some script embedded in the HTML. I know Outlook used to have a setting 'do not run scripts on HTML email' or something like that.

If you are running anti-virus software and anti-spyware software and have a good firewall installed, updated and properly setup you'll have some protection against those bad guys out there. That and vigilance on you and your wife's part are the best ways to counteract malware of any sort!

She's fine. Plain text can't do anything. There could have been an invisible picture embedded in the email via HTML, which can be used by clever spammers to determine which email addresses are active, but that won't directly compromise your security.

Every now and then, some social reject figures out how to make an exploit that embeds a virus in a picture, but as far as I know, there's no unpatched exploits at the moment, especially not for linux.

As far as horror stories go: One of those jpeg-based exploits was discovered about two months ago in Internet Explorer. I just happened to need to use IE the day it was announced to visit a website that didn't support Firefox, and I hadn't gotten the news about the exploit. Since I already had IE up, I also used it to search for some random info that led me to a somewhat sketch site. I'm guessing an ad on that site was where the infection came from. I was only vulnerable for a couple of hours before I read the news and patched it, and I just happened to use the vulnerable program during that window. I've had the computer for about two years, and that was the first problem I'd had, even though most of the time I didn't even use anti-virus software.

I forget exactly what I got, but it was a pretty deep one. It did browser redirects (my first clue of the problem), key logging, pop-ups, and self-replication. I Ended up having to turn off system restore and run scans in safe mode to get rid of it. AVG got part of it, and Malwarebytes finished it off. Whatever it was, it was one of the better written bugs out there, even though it wasn't as prevalent as the big worms like Sasser and Blaster.

Hell, if she was running a live linux cd, she could have opened a virus and it wouldn't have done anything!

Yeah, if you're running outlook, then maybe an exploit in html or a macro in a doc file, but not plain text.

we all know not to open email attachments from senders we dont know, but can anything bad happen just from opening a email without attachments? My wife just opened an email up without thinking and now she is in a panic. The text said "thanks for that, bye". I tried to reassure her that there was no attachment on this email and since she was running linux from a live CD nothing should be able to touch the hard drive anyway. How else can I assure her everything is ok? Anybody got any comments or email horror stories they want to share?

Technically, emails that have malicious images embedded in them can trigger an attack, but a lot of the flaws regarding these have been addressed. Additionally, images do not load by default on most mail clients. Some mails can take advantage of vulnerabilities in certain email programs like Outlook, Outlook Express (most common) and Mozilla Thunderbird by crafting them very specially. These aren't that common, though, and spam/virus filters pick these up very effectively either at the server level or at your computer (provided you have proper protection). Plain text eliminates many of the common attack vectors, but I believe message headers can also take advantage of vulnerabilities in Outlook Express if altered properly. I think there was an exploit patched just recently that affected Exchange mailboxes, where an email with special text could make the system vulnerable to attack.

The latter won't affect you, since you're on Linux and these vulnerabilities are specific to Windows. There are very few Linux trojans out there, but they aren't spread via email (or at least very commonly) and most of them are relatively harmless.

Email went downhill once it was *******ized with HTML.

Viva text.

email went downhill once it was *******ized with html.

Viva text.

+10000000000

and since she was running linux from a live CD nothing should be able to touch the hard drive anyway.
I missed this part before. No worries if she was running linux on a live cd.