Stay safe while using e-mail

These days, your PC is more likely to catch a virus off a bad Web site than from an e-mail message, but that's no reason to lower your guard.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
3 min read
The third of my three updates to the story I wrote back in 2005 covers steps seven through 10, which deal with e-mail safety. (Last week, I refreshed steps one, two, and three, which address Windows security, and steps four, five, and six that cover safe browsing.)

Three years ago, e-mail was the source of most PC virus infections, but that's no longer the case. Now you're more likely to catch a piece of malware from a Web site, whether by downloading a file or simply by opening a booby-trapped page.

Does this mean you may now open e-mail messages and attachments without a second thought? Uh-uh.

The first of the four e-mail security tips in the original story warns against clicking links embedded in messages. That prohibition still applies. It's easy to spoof a link so that it looks like it leads somewhere other than its real destination. As the tip recommended, it's much safer to enter the URL in your browser's address bar manually, or to find your way to the page using the site's own navigation or search function.

Likewise, the advice in the eighth security step to scan attachments for viruses before opening them is as valid today as it was three years ago. Nearly every antivirus program and security suite scans all incoming e-mail and file attachments by default.

Some people will tell you that your e-mail client's preview pane--the topic of security tip number nine--poses no risk because it's much more difficult for malware to attack your PC simply by viewing a message. Even if this were the case, I would still close the preview pane in my e-mail program for privacy's sake.

The original article describes how to close the preview pane in Outlook Express, Outlook 2003, and Mozilla Thunderbird. The steps for doing so in Outlook 2007 are the same as in Outlook 2003.

I'm a big fan of viewing e-mail in plain text, the subject of the last of the 10 security steps. Using plain text is not just a way to block viruses transported via HTML mail. Plain-text messages may not always look so spiffy, but the files open fast.

I described how to set Outlook 2003 and 2007 to send and receive e-mail as plain text in a post from last month. To set Thunderbird to view incoming mail as plain text, click View > Message Body As > Plain Text.

Mozilla Thunderbird option to view messages as plain text
Set Thunderbird to view incoming messages as plain text via the View menu. Mozilla Foundation

To send mail as plain text in Thunderbird, click Tools > Account Settings, choose Composition & Addressing in the left pane, uncheck "Compose messages in HTML format," and click OK.

Mozilla Thunderbird's Account Settings dialog box
Send mail in plain text by changing this setting in Thunderbird's Account Settings dialog box. Mozilla Foundation

A final note on security software and wireless encryption
Two sidebars to the original 10-Step Security list the top security programs in various categories and recommend use of Wi-Fi Protected Access (WPA) to protect wireless networks.

Rather than using different programs for virus protection, spyware blocking, and other malware defenses, I prefer the suite approach. Using a combo security program reduces the chance of software conflicts, and if something goes wrong, you have only one vendor to deal with, for better or worse.

WPA provides sufficient protection for most home and small-office wireless networks, though you'll be safer if you upgrade to WPA2, if your network's router and other equipment support the later security standard. Using the older WEP security protocol is no longer sufficient because WEP is relatively easy to crack.

One last security-update note: the Mozilla Foundation recently acknowledged security breaches in the Firefox browser, Thunderbird e-mail client, and SeaMonkey Web suite. A security bulletin released last week instructs users to disable JavaScript until you're able to update to these versions:

• Firefox 3.0.5
• Firefox
• Thunderbird
• SeaMonkey 1.1.14

As of the evening of December 21, 2008, I could update to Firefox 3.0.5 and SeaMonkey 1.1.14, but not to Thunderbird ( is available). To update Firefox and Thunderbird, click Help > Check for Updates. Visit the SeaMonkey Downloads & Releases page to update that program.