Webmail "safer" than Outlook?

[louise]

I have to access a few mail accounts on a daily basis, one of which
received about 75 spam messages per day. There are times when I
have to open a message and I'm not sure before I open it, whether
it's "real" or not.

In an effort to be careful, I access these two accounts using
webmail rather than my usual email program: Outlook.

However, after reading up on many AV programs, I'm not sure whether
I'd be "safer" having the email come through Outlook and be scanned
by NOD, or "safer" opening the occasional message within the
webmail environment.

Which method leaves my machine somewhat less vulnerable?

Louise

 

[Juergen Nieveler]

However, after reading up on many AV programs, I'm not sure whether
I'd be "safer" having the email come through Outlook and be scanned
by NOD, or "safer" opening the occasional message within the
webmail environment.

Which method leaves my machine somewhat less vulnerable?

Using a webbrowser means being vulnerable to every HTML exploit.

Juergen Nieveler

 

[Beauregard T. Shagnasty]

Using a webbrowser means being vulnerable to every HTML exploit.

Some online webmail programs allow you to read in Plain Text only.
Mine does, so email HTML exploits are a non-issue.

Haven't used Outlook in a long time, but I don't remember that it has
an option to read in plain text. Opening HTML spam, while still
connected to the internet, can/will get you tagged as a valid email
address.

Recommend you access your account at the webmail (in plain text),
delete all spams, and then download what is left.

 

[Colin O'Scopy]

Haven't used Outlook in a long time, but I don't remember that it has
an option to read in plain text.

Depends on version.
2002, 2003 have it.
Can't remember about 2000.

 

[Beauregard T. Shagnasty]

Depends on version. 2002, 2003 have it. Can't remember about 2000.

Thanks. Heh, I have an old O97 version, which I wouldn't use for email
anyway. Personally, I think Outlook is a business application,
suitable for use in a corporate environment, but way overkill for home
use. <g>

 

[optikl]

I have to access a few mail accounts on a daily basis, one of which
received about 75 spam messages per day. There are times when I
have to open a message and I'm not sure before I open it, whether
it's "real" or not.

In an effort to be careful, I access these two accounts using
webmail rather than my usual email program: Outlook.

However, after reading up on many AV programs, I'm not sure whether
I'd be "safer" having the email come through Outlook and be scanned
by NOD, or "safer" opening the occasional message within the
webmail environment.

Which method leaves my machine somewhat less vulnerable?

Louise

Newer versions of Outlook are pretty safe. NOD is also pretty efficient
at detecting malware attachments. As others have suggested Web-mail has
its own vulnerabilities to deal with.

 

[Ian Kenefick]

On Tue, 09 Aug 2005 15:05:51 GMT, "Beauregard T. Shagnasty"

Hi BTS!

Haven't used Outlook in a long time, but I don't remember that it has
an option to read in plain text.

It does. Worth noting also that some antivirus software allows you to
convert html email to rtf or plaintext upon send/receive.

But I guess it is also worth highlighing that HTML vulnerabilities
aren't the only ones out there - remember this MS01-020?

Opening HTML spam, while still
connected to the internet, can/will get you tagged as a valid email
address.

Ugh! Damn those clever spammers

Recommend you access your account at the webmail (in plain text),
delete all spams, and then download what is left.

How about this - if your email server provides pop-access use Mozilla
mail or Thunderbird. This way your attachments will always be a click
away even when you are offline.

 

[Beauregard T. Shagnasty]

On Tue, 09 Aug 2005 15:05:51 GMT, "Beauregard T. Shagnasty"

Hi BTS!

Howdy Ian,

It does. Worth noting also that some antivirus software allows you
to convert html email to rtf or plaintext upon send/receive.

...for those who require a-v software. <g> Not sure if I (personally)
want another program messing with my email.

There's a sign on my door: "HTML Mail Not Welcome Here"

But I guess it is also worth highlighing that HTML vulnerabilities
aren't the only ones out there - remember this MS01-020?

Yeah. IE 5.0, 5.5.

Ugh! Damn those clever spammers

Spammers are stupid .. but .. spammers are smart.

 

[louise]

Newer versions of Outlook are pretty safe. NOD is also pretty efficient
at detecting malware attachments. As others have suggested Web-mail has
its own vulnerabilities to deal with.

I phoned both ISPs - one does nothing about virus checking webmail
and the other blocks exe files and that's pretty much it.

For the moment I've made users for both accounts in Outlook. I'm
running NOD.

I do need to use Outlook as I run a small business. I use it as a
PIM and it synchs with my Palm, etc. I know I'm in the minority,
but aside from its security vulnerabilities, I actually like the
program

Louise

 

[Ian Kenefick]

I phoned both ISPs - one does nothing about virus checking webmail
and the other blocks exe files and that's pretty much it.

One is half interested in Security - the other isn't interested at
all.

I do need to use Outlook as I run a small business. I use it as a
PIM and it synchs with my Palm, etc. I know I'm in the minority,
but aside from its security vulnerabilities, I actually like the
program

Just keep it updated and set EMON to 'convert email body to plain
text' and you should be even safer. Outlook looks nice but as was
mentioned previously is OVERkill for most home users. Perfect for your
application though - palm synching and all that caper.

I personally love The Bat! and Eudora. I use both!

 

[Juergen Nieveler]

Haven't used Outlook in a long time, but I don't remember that it has
an option to read in plain text. Opening HTML spam, while still
connected to the internet, can/will get you tagged as a valid email
address.

That's why I prefer to use Thunderbird

Juergen Nieveler

 

[Colin O'Scopy]

Thanks. Heh, I have an old O97 version, which I wouldn't use for email
anyway. Personally, I think Outlook is a business application,
suitable for use in a corporate environment, but way overkill for home
use. <g>

Yes, we use it as a front end to a system that integrates mail
and group calendaring. Making this work required everybody to
go to the 2003 version, or use a web interface which, like
every webmail inteface I've ever seen, sucks. Happily this
means I can no longer get my work email from home - well, I
could, but not without a lot of messing about which I don't
care to get into.

 

[Shannon]

Haven't used Outlook in a long time, but I don't remember that it has
an option to read in plain text. Opening HTML spam, while still
connected to the internet, can/will get you tagged as a valid email
address.

It does? I can understand that replying to an spammer's email will tag
you as a vaild email address, but how does opening or reading (or even
just viewing in the preview pane) tag you?

I understand that to display html, you have to give away your IP, but
your email address?

Can you explain?

Shannon

 

[Juergen Nieveler]

It does? I can understand that replying to an spammer's email will
tag you as a vaild email address, but how does opening or reading (or
even just viewing in the preview pane) tag you?

I understand that to display html, you have to give away your IP, but
your email address?

Easy: In the HTML body are links to pictures that are loaded from a
spammers' webserver when you display the mail.

The link to the picture will contain a reference to the email address
used in the mail (sometimes coded, sometimes even in plain text) - so
the spammer just needs to check the logfile of his webserver to see
which of the millions of spams actually was viewed.

Juergen Nieveler

 

[danny burstein]

The link to the picture will contain a reference to the email address
used in the mail (sometimes coded, sometimes even in plain text) - so
the spammer just needs to check the logfile of his webserver to see
which of the millions of spams actually was viewed.

But.. for the most part, do spammers evenbother with this anymore?

The "cost" of sending 100,000 or 100,000,000 spams is
so minimal that even if only 5% of them are valid
e-mail addresses, it's probably cheaper to just crank
them all out rather than pre-screen.

 

[Juergen Nieveler]

But.. for the most part, do spammers evenbother with this anymore?

The "cost" of sending 100,000 or 100,000,000 spams is
so minimal that even if only 5% of them are valid
e-mail addresses, it's probably cheaper to just crank
them all out rather than pre-screen.

Depends. There's still people out there who try to flog their "verified
email accounts"-lists - such lists are sold at much higher prices than
normal lists.

Juergen Nieveler

 

[Beauregard T. Shagnasty]

It does? I can understand that replying to an spammer's email will tag
you as a vaild email address, but how does opening or reading (or even
just viewing in the preview pane) tag you?

As the others answered, your personalized parameters in the spam
identify you to the spammer, as long as you are still connected when
you open it. Even if you view it in the Preview pane (which is the
same as opening it). The name "web bug" was given to this practice.

I understand that to display html, you have to give away your IP, but
your email address?

The spammer's web site logs will show your IP, and if the web bug
contains your email address, his script will capture that. Many of
them encrypt your identity, but it is a simple matter for his database
to compare and see who you are.

Can you explain?

Read the source of the HTML messages ... especially those addressed
individually to you. Look for your email address, or long strings of
seemingly random characters hung onto a URL.

 

[Tore Lund]

As the others answered, your personalized parameters in the spam
identify you to the spammer, as long as you are still connected when
you open it. Even if you view it in the Preview pane (which is the
same as opening it). The name "web bug" was given to this practice.

....unless you use a mail reader where the loading of embedded remote
images can be blocked (e.g. Mozilla / Tbird).

 

[Beauregard T. Shagnasty]

...unless you use a mail reader where the loading of embedded
remote images can be blocked (e.g. Mozilla / Tbird).

Of course! This also usually defeats the spammer's message. <g> But
the subject line of this thread is about Outlook.

 

[Sla#s]

Read the source of the HTML messages ... especially those addressed
individually to you. Look for your email address, or long strings of
seemingly random characters hung onto a URL.

Have a look here to encode your address and see if the result is in any
spam.
http://howardk.moonfall.com/encemail.html
It also has a decoder.

Slatts