Outlook 2000 SP3 - Open mail vs. Execute attachment

[SJC]

There has been so much hype about email worms/ viruses but I still don't
understand everything I'd like to.

When an email arrives in my Inbox, it will display in the preview pane as
soon as I single click in the message header in the Header pane.
My question is:
Is that equivalent to opening the mail message and therefore launching
whatever script/ executable is embedded in the body of the email?

I'm concerned because any HTML type messages will instantly begin to render
simply by single click and preview. Given concerns about HTML based
spyware, worms, etc. I'm thinking there's a problem with even allowing the
stupid thing into my Inbox.

Attachments don't seem to me to be a real problem since they show up as a
separate file requiring me to save/ execute them expressly, which I'm
certainly not going to do from any untrusted source.

If someone more knowledgable than I could please clarify what really happens
with HTML, preview function, file attachments, etc. I'm sure many would
appreciate it.
TIA
Steve C.

 

[Lanwench [MVP - Exchange]]

There has been so much hype about email worms/ viruses but I still
don't understand everything I'd like to.

When an email arrives in my Inbox, it will display in the preview
pane as soon as I single click in the message header in the Header
pane. My question is:
Is that equivalent to opening the mail message and therefore launching
whatever script/ executable is embedded in the body of the email?

If it's an HTML message, even opening it in the preview pane is akin to
opening it and can send info back to the sender if there's a script, etc -
or virus (but you do have good AV software running that can scan mail,
right, and you keep it updated regularly?)

I'm concerned because any HTML type messages will instantly begin to
render simply by single click and preview. Given concerns about HTML
based spyware, worms, etc. I'm thinking there's a problem with even
allowing the stupid thing into my Inbox.

OL2003 allows you to prohibit download of images, etc., in HTML messages
....prior versions don't.

Attachments don't seem to me to be a real problem since they show up
as a separate file requiring me to save/ execute them expressly,
which I'm certainly not going to do from any untrusted source.

Yep - and even if it's from your best college buddy Joe Blow, don't open it
unless you were expecting it. Many viruses spoof the sender.

 

[SJC]

If it's an HTML message, even opening it in the preview pane is akin to
opening it and can send info back to the sender if there's a script, etc -
or virus (but you do have good AV software running that can scan mail,
right, and you keep it updated regularly?)

Well, THAT sux.

OL2003 allows you to prohibit download of images, etc., in HTML

messages... prior versions don't.

Soooo all this time Outlook has had this GAPING HOLE in it? Only now, in
Outlook 2003 is there a provision to prevent HTML scripts, etc.?

But I thought the Tools | Options | Security tab in Outlook 2000 (and
earlier?), under Zone Settings allowed configuring of provisions to restrict
that sort of thing. I currently have "Restricted Sites" set as my Security
Zone and it is configured to Disable or Prompt for everything! I'm
presuming that applies to incoming messages. The configuration for this
item also allows me to add specific sites to the list. What's NOT clear is
what internet sites have to do with how incoming messages are treated. I'm
again presuming that this Security feature is utilized for IE as well as
Outlook (including Outlook Express) and the specific items apply as needed.

As far as AV software, well that's our systems department responsibility.
SpamAssassin is currently being implemented and configured, but in the
meantime...

Thanks for the help.

Steve C.