Category Archives: Email

Text-only email: boring but safe

In the late 1990s and early 2000s, when formatted email first became widely-used, displaying formatted email was dangerous, because vulnerabilities in Windows allowed specially-crafted email to execute code on the recipient’s machine. Merely previewing formatted email was risky.

Windows updates and email client changes reduced the effectiveness of malware embedded in the content of email, although clickable links and attachments were still — and continue to be — dangerous.

These days, the dangers of enabling formatted text and images in email are mostly about privacy. A significant portion of all email — especially email sent through mass messaging services like Mailchimp — contains tiny images that, when viewed in an email client, tell the sender when you viewed it. This information is used by the sender to determine the effectiveness of their email campaign. It’s not dangerous, but it is creepy. Of course, not all embedded images are there for marketing reasons; some have more nefarious purposes.

The dangers of email can be almost eliminated by configuring your client software to display email in plain text (without any formatting), and without images. Better still, for those concerned about having their actions tracked online, using text-only email prevents any image-based tracking that would otherwise occur when you open your email.

Most desktop email client software has options that force all email to be viewed in a plain text format. Web-based clients are less likely to offer this option, but some, including GMail, can at least be configured not to display images.

I have always recommended the use of text-only email, and I follow my own advice. Email is still the easiest way for malicious persons to induce unwary users into taking actions that should be avoided. As long as that’s true, the only truly safe way to use email is to disable formatting and images. This also makes email less engaging, but I’m willing to forego fancy-looking email for safety and privacy.

References

Google improves GMail security

I’ve tried other search services, but I always end up back at Google, because the search results are consistently better. Google does collect information about its users, and uses that information to target advertising. Google also looks at the content of GMail messages for the same reason. If that bothers you, there are ways to prevent it, or you can stop using Google’s products and services.

That said, in all my years of using Google’s services, I’ve never encountered anything that made me want to stop using them. Google does occasionally annoy me by dropping services like Reader, and Google’s advertising is ridiculously overpriced, but on balance the company provides far more benefit than any potential harm.

For example, Google spends enormous amounts of time and resources on making the web safer for everyone. Much of that effort goes unheralded, but occasionally we catch glimpses in the form of blog posts, like this one, describing recent improvements to GMail security. Compare that with Yahoo’s recent track record, which clearly shows that user security and privacy are not a priority at that company.

BEWARE this nasty, effective, GMail-based phishing attack

By now you should be aware that indiscriminately clicking on anything in an email can be dangerous. Even if you know the sender, and the email looks totally mundane, you’re taking a risk any time you do it.

Recently, a particular kind of phishing email is showing up in inboxes everywhere. These emails look completely ordinary at first glance, and they contain what appears to be an attachment.

When you click the ‘attachment’ to open it, your browser is directed to a phony Google login screen. This in itself may not raise any alarms, since Google — in an effort to improve security — often throws extra login screens at us.

Unfortunately, if you fill in your Google username/email and password, that information goes straight to the perpetrators. Almost immediately after that, your password will be changed and you will have lost control of your Google account. If you’re like most people, you use your Google account for numerous Google sites and services, including Google Drive, Analytics, AdWords, and so on. The potential for damage is extreme.

The goods news is that you can avoid being victimized by this attack by doing something you should already be doing: before you click anything in an email, hover your mouse over the link or ‘attachment’. Most useful web browsers and email applications will show you some information about the item, either in a popup or in the status area at the bottom of the app. What you see should provide all the clues you need. If it’s an attachment, it should show you the file name. If it’s a URL, it should show you an ordinary web address that starts with ‘http://’ or ‘https://’.

Hovering over the fake attachment in these phishing emails shows what looks sort of  like a URL, but starts with ‘data:text/html’. No valid URL will ever look like that.

This blogger wasn’t careful. He clicked the ‘attachment’, then entered his Google username and password on the fake login page. Luckily for him, the ‘login’ failed, which alerted him to the situation. He immediately changed his Google password, and appears to have dodged that bullet.

The Wordfence blog has additional details.

The perils of using free services

RIP TweetDeck

Twitter is pulling the plug on the Windows version of its popular TweetDeck application, pushing users to switch to the web-based version. Although they claim otherwise, the reason is simple: web applications are easier to monetize.

Twitter purchased TweetDeck in 2011 because users found its interface much more useful than the Twitter web interface, and were switching in large numbers. This translated into a loss of advertising revenue for Twitter. There were immediate predictions that Twitter would kill off TweetDeck, and that’s finally happening.

For some users, switching to the web-based TweetDeck will not be a problem. The two interfaces are virtually identical. But having a compact, separate application has several advantages: I can configure it to start automatically with my computer; I can leave it running all the time without hurting my computer’s performance; and it’s not – like all web-based apps – inherently fragile. So I’m looking at alternatives. If I find one I like, I’ll post about it.

Mandrill email no longer free

If you use Mandrill’s email service, you should start looking for an alternative. Unless you think $20 per month seems like good value to send a few emails.

I originally started using Mandrill because my Internet Service Provider’s email service was increasingly less willing to process email from domains I host, including boot13.com. If you don’t host your own domains, and you don’t send large quantities of email, you’re unlikely to ever need a ‘transactional email’ service like Mandrill.

Luckily, there are plenty of alternatives to Mandrill. Right now I’m evaluating MailGun, which is free for up to 10,000 emails per month, and supports DKIM and SPF, technologies that help to identify legitimate senders and reduce spam.